A sophisticated campaign uncovered where adversaries are exploiting CVE-2023-46604, a critical remote code execution vulnerability in Apache ActiveMQ, to compromise cloud-based Linux systems.
In this case, attackers are patching the very vulnerability they exploited to maintain exclusive access and evade detection, demonstrating advanced operational security practices typically reserved for nation-state actors.
Key Takeaways
1. Attackers exploit an Apache ActiveMQ vulnerability for remote access to cloud Linux systems.
2. Hackers patch the vulnerability after compromise to prevent detection.
3. New malware uses Dropbox for C2 and modifies SSH for persistent backdoor access.
New ‘DripDropper’ Malware Deployed
The campaign targets Apache ActiveMQ, a widely used open source message broker written in Java, leveraging CVE-2023-46604 to execute arbitrary code on vulnerable systems.
Red Canary detected adversaries conducting discovery commands across dozens of cloud-based Linux endpoints, with the vulnerability carrying a 94.44 percent likelihood of exploitation according to its EPSS score.
Security researchers have previously documented this vulnerability being exploited to deploy various malware families, including TellYouThePass, Ransomhub, HelloKitty ransomware, and Kinsing cryptocurrency miners.
After gaining initial access, the attackers deploy sophisticated command and control infrastructure using legitimate tools like Sliver implants and Cloudflare Tunnels to maintain persistent access.
The adversaries modify SSH daemon configurations by enabling root login access, which is typically disabled by default in modern Linux distributions, granting them the highest level of system privileges.
The threat actors deploy a previously unknown malware strain dubbed “DripDropper,” described as an encrypted PyInstaller ELF (Executable and Linkable Format) file that requires a password to execute, hindering automated sandbox analysis.
DripDropper communicates with adversary-controlled Dropbox accounts using hardcoded bearer tokens, leveraging legitimate cloud services to blend malicious traffic with normal network activity.
The malware establishes persistence by modifying the 0anacron file in /etc/cron.*/ directories and creates two additional malicious files with randomized eight-character alphabetical names.
| Risk Factors | Details |
| Affected Products | Apache ActiveMQ (open source message broker) |
| Impact | Remote Code Execution (RCE) |
| Exploit Prerequisites | Network access to vulnerable ActiveMQ service |
| CVSS 3.1 Score | 9.8 (Critical) |
These secondary payloads alter SSH configuration files and modify the default login shell for the ‘games’ user account to /bin/sh, preparing the system for sustained remote access.
Most notably, the attackers download legitimate Apache ActiveMQ JAR files from repo1[.]maven[.]org and replace the vulnerable components, effectively patching CVE-2023-46604 after exploitation.
This technique prevents other adversaries from exploiting the same vulnerability and reduces the likelihood of detection through vulnerability scanners, ensuring their exclusive control over compromised systems.
Organizations must implement comprehensive security strategies that go beyond traditional vulnerability management, including robust logging, configuration monitoring, and the principle of least privilege across their Linux and cloud environments.
Safely detonate suspicious files to uncover threats, enrich your investigations, and cut incident response time. Start with an ANYRUN sandbox trial →
Source link
