Apache ActiveMQ exploit allows DripDropper installation on Linux cloud systems

Threat actors are exploiting a nearly two-year-old security flaw in Apache ActiveMQ to gain persistent access to cloud Linux systems and deploy malware known as DripDropper. In a surprising twist, these unknown attackers have been observed patching the exploited vulnerability after securing initial access, thereby preventing further exploitation by other adversaries and evading detection, according to a report by Red Canary shared with The Hacker News. The attacks leverage a maximum-severity security flaw in Apache ActiveMQ (CVE-2023-46604, CVSS score: 10.0), a remote code execution vulnerability that allows for the execution of arbitrary shell commands. This flaw was addressed in late October 2023, but it has since been heavily exploited by multiple threat actors deploying a variety of payloads, including HelloKitty ransomware, Linux rootkits, GoTitan botnet malware, and Godzilla web shell.

In the detected attack activity, the threat actors have modified existing SSH daemon configurations to enable root login, granting them elevated access to deploy the previously unknown downloader, DripDropper. This downloader, a PyInstaller Executable and Linkable Format (ELF) binary, requires a password to run, making it resistant to analysis. It communicates with an attacker-controlled Dropbox account, illustrating how threat actors increasingly rely on legitimate services to blend in with regular network activity and avoid detection. The downloader serves as a conduit for two files, one facilitating various actions on different endpoints, including process monitoring and contacting Dropbox for further instructions. Persistence is achieved by modifying the 0anacron file in the /etc/cron.hourly, /etc/cron.daily, /etc/cron.weekly, and /etc/cron.monthly directories. The second file also contacts Dropbox for commands and alters existing SSH configuration files, likely as a backup for persistent access. Ultimately, the attackers download patches for CVE-2023-46604 from Apache Maven, effectively closing the vulnerability while maintaining their operations through established persistence mechanisms.