Like Burglars Closing A Door, Apache Activemq Attackers Patch Critical Vulnafter Breaking In

Criminals exploiting a critical vulnerability in open source Apache ActiveMQ middleware are fixing the flaw that allowed them access, after establishing persistence on Linux servers.

Researchers at security house Red Canary observed attackers using a new form of Linux malware, dubbed DripDropper, against dozens of systems running Apache’s Java-based message broker. The miscreants got in using CVE-2023-46604, a CVSS 9.8 critical flaw that Apache itself rates as a perfect 10. After installing a backdoor to the infected systems, they then downloaded two Java Archive (JAR) files that effectively patched the original vuln.

“This kind of behavior is very uncommon, we see it very rarely,” Brian Donohue, principal researcher at Red Canary, told The Register. “I think we’ve only seen it once before and it’s not something that happens very often. Most threats are pretty much point and play and don’t often include this sort of really customized trick.”

The criminals gained access using a Sliver implant – a legitimate tool for pentesters but one which is also much abused by black hats – to modify the sshd configuration file of the target machine to allow root access. They then downloaded DripDropper, an encrypted PyInstaller-built ELF that communicates with an attacker-controlled Dropbox account, to maintain control over compromised Linux servers.

While patching the systems after infection will help conceal the intrusion from vulnerability scanners, there is a second line of defense against detection. DripDropper – so named because it uses Dropbox to shuttle files back and forth – is password protected, making it tougher to access and analyze by bug hunters seeking to find a way to kill off the code, Donohue explained.

“The actions of this file changed from instance to instance, ranging from process monitoring to contacting Dropbox for further instructions,” the Red Canary team said in its report. “DripDropper will establish persistent execution for the dropped file by modifying the 0anacron file observed in each /etc/cron.*/ directory.”

“It typically modifies existing configuration files related to SSH, including altering the default login shell for user account games to /bin/sh. This action presumably prepared the system for additional persistent access via the games account where the adversary could issue shell commands.”

Once they have installed malware on the system, and hidden it from view with the downloaded patch, attackers deliver new payloads, Donohue explained. This could include uploading information-stealing code, installing ransomware, or downloading network access tools that the miscreants can use to spread to infect other machines.

In theory, this flaw shouldn’t be an issue, because Apache patched CVE-2023-46604 way back in late October 2023. But IT departments are perennially overstretched when it comes to patching and, despite its seriousness, there are still a lot of vulnerable systems out there.

Then again, vendors aren’t helping. Oracle only included a patch for the flaw back in January of this year, for example, despite researchers warning of attacks using the vulnerability for over a year before Oracle got around to including a fix.

If you’re trusting Big Red to deliver timely patches, maybe it’s time to rethink your security strategy, as the biz is notorious for tardy software fixes, typically only releasing four software updates a year. ®

Original Source