Cybersecurity researchers have uncovered a sophisticated attack campaign where hackers exploiting a critical Apache ActiveMQ vulnerability are taking the unusual step of patching the security flaw after gaining access to victim systems.
The Red Canary Threat Intelligence team observed this counterintuitive behavior across dozens of compromised cloud-based Linux servers, revealing a strategic approach to maintaining exclusive control over breached systems.
The attacks target CVE-2023-46604, a critical remote code execution vulnerability in Apache ActiveMQ, a widely-used open source message broker.
| Field | Details |
| CVE ID | CVE-2023-46604 |
| Published Date | October 27, 2023 |
| Last Modified | December 28, 2023 |
| CVSS 3.1 Base Score | 10.0 (Critical) |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
Despite being nearly three years old, this vulnerability maintains a 94.44 percent likelihood of exploitation according to its EPSS score, making it an attractive target for cybercriminals.
Red Canary’s investigation revealed a complex attack methodology involving multiple stages of compromise.
After initially exploiting the ActiveMQ vulnerability, attackers deployed various command and control tools including Sliver implants and Cloudflare Tunnels to establish persistent access.
In several instances, adversaries modified SSH configurations to enable root login access, granting them maximum system privileges.
The campaign introduced a previously unknown malware strain dubbed “DripDropper,” an encrypted PyInstaller executable that requires a password to run.
This tool communicates with adversary-controlled Dropbox accounts using hardcoded bearer tokens, demonstrating how attackers leverage legitimate cloud services to blend malicious traffic with normal communications.
DripDropper creates two malicious files on compromised systems. The first performs various functions including process monitoring and establishing persistence through cron job modifications.
The second file, with a randomly generated eight-character name, modifies SSH configurations and prepares systems for additional persistent access mechanisms.
In a striking tactical move, attackers downloaded legitimate ActiveMQ JAR files from Apache Maven repositories to patch the CVE-2023-46604 vulnerability on already compromised systems.
This unusual behavior serves dual purposes: reducing detection by vulnerability scanners and preventing competing threat actors from exploiting the same flaw to gain access.
“It’s a great way to potentially lock out other adversaries, ensuring their foothold remains exclusive,” security researchers noted.
This technique has been observed with other critical vulnerabilities, highlighting an emerging trend in advanced persistent threats.
The campaign underscores persistent risks facing cloud Linux infrastructure. CVE-2023-46604 continues enabling deployment of various malware families including TellYouThePass, Ransomhub, HelloKitty ransomware, and Kinsing cryptominers.
The vulnerability’s continued exploitation demonstrates how legacy flaws remain dangerous attack vectors in rapidly expanding cloud environments.
Security experts emphasize that clean vulnerability scans don’t guarantee system security, particularly when sophisticated adversaries employ post-exploitation patching techniques.
Organizations must implement comprehensive monitoring, policy-based SSH management, and proactive patch verification procedures to defend against these evolving threats.
The campaign highlights how adversaries increasingly target Linux systems as cloud adoption accelerates across enterprise environments.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
