Malicious actors are exploiting a two-year-old critical vulnerability in the Apache ActiveMQ message broker o breach cloud-based Linux systems. Interestingly, the attackers patched the compromised system likely to minimize the detection from security products such as vulnerability scanners and block other malicious actors from using the same flaw.
According to a report by cybersecurity firm Red Canary, the attackers are targeting CVE-2023-46604, a remote code execution vulnerability patched in October 2023 that allows arbitrary command execution.
Once inside, the threat actors deploy a new malware strain dubbed DripDropper, a downloader that uses Dropbox as its command-and-control (C2) infrastructure.
“Follow-on adversary command-and-control (C2) tools varied by endpoint and included Sliver and Cloudflare Tunnels to maintain covert command and control over the long term,” the report notes.
DripDropper is deployed after the attackers modify sshd configurations to enable root login. The malware, a PyInstaller ELF binary, requires a password to execute.
Once running, DripDropper downloads two payloads. One enables various endpoint-specific functions, including process monitoring and Dropbox communication. The other maintains persistence by modifying cron jobs and SSH configurations.
Finally, the attackers retrieve a patch for CVE-2023-46604 from Apache Maven repositories and apply it, securing initial entry point.
“Adversaries have employed this technique with other CVEs. Patching the vulnerability does not disrupt their operations as they already established other persistence mechanisms for continued access,” the researchers said.