Threat actors are exploiting a nearly two-year-old security flaw in Apache ActiveMQ to gain persistent access to cloud Linux systems and deploy malware called DripDropper.
But in an unusual twist, the unknown attackers have been observed patching the exploited vulnerability after securing initial access to prevent further exploitation by other adversaries and evade detection, Red Canary said in a report shared with The Hacker News.
“Follow-on adversary command-and-control (C2) tools varied by endpoint and included Sliver, and Cloudflare Tunnels to maintain covert command and control over the long term,” researchers Christina Johns, Chris Brook, and Tyler Edmonds said.
The attacks exploit a maximum-severity security flaw in Apache ActiveMQ (CVE-2023-46604, CVSS score: 10.0), a remote code execution vulnerability that could be exploited to run arbitrary shell commands. It was addressed in late October 2023.
The security defect has since come under heavy exploitation, with multiple threat actors leveraging it to deploy a wide range of payloads, including HelloKitty ransomware, Linux rootkits, GoTitan botnet malware, and Godzilla web shell.
In the attack activity detected by Red Canary, the threat actors have been observed leveraging the access to modify existing sshd configurations to enable root login, granting them elevated access to drop a previously unknown downloader dubbed DripDropper.
A PyInstaller Executable and Linkable Format (ELF) binary, DripDropper requires a password to run in a bid to resist analysis. It also communicated with an attacker-controlled Dropbox account, once again illustrating how threat actors are increasingly relying on legitimate services to blend in with regular network activity and sidestep detection.
The downloader ultimately serves as a conduit for two files, one of which facilitates a varied set of actions on different endpoints, ranging from process monitoring to contacting Dropbox for further instructions. Persistence of the dropped file is achieved by modifying the 0anacron file present in /etc/cron.hourly, /etc/cron.daily, /etc/cron.weekly, /etc/cron.monthly directories.
The second file dropped by DripDropper is also designed to contact Dropbox for receiving commands, while also altering existing configuration files related to SSH, likely as a backup mechanism for persistent access. The final stage entails the attacker downloading from Apache Maven patches for CVE-2023-46604, effectively plugging the flaw.
“Patching the vulnerability does not disrupt their operations as they already established other persistence mechanisms for continued access,” the researchers said.
While certainly rare, the technique is not new. Last month, France’s national cybersecurity agency ANSSI detailed a China-nexus initial access broker employing the same approach to secure access to systems and prevent other threat actors from using the shortcomings to get in and mask the initial access vector used in the first place.
The campaign offers a timely reminder for why organizations need to apply patches in a timely fashion, limit access to internal services by configuring ingress rules to trusted IP addresses or VPNs, and monitor logging for cloud environments to flag anomalous activity.
