Ethical Hacking News
Hackers have successfully exploited a 2-year-old vulnerability in Apache ActiveMQ (CVE-2023-46604) to deploy DripDropper malware on Linux systems. The attackers patched the vulnerability post-exploitation, not only to evade detection but also to block rival adversaries from exploiting the same flaw. This case highlights the sophistication and adaptability of modern threat actors and emphasizes the importance of keeping up-to-date with security patches.
A group of hackers exploited a 2-year-old vulnerability in Apache ActiveMQ (CVE-2023-46604) to deploy DripDropper malware on Linux systems. The vulnerability has a CVSS score of 10.0, making it one of the most severe vulnerabilities in the Apache ActiveMQ software. Attackers used post-exploitation patching techniques to evade detection and block rival adversaries from exploiting the same flaw. The use of post-exploitation patching highlights the sophistication and adaptability of modern threat actors. The attackers gained persistence on cloud-based Linux systems using tools like Sliver and Cloudflare Tunnels. The DripDropper malware is a stealthy Linux malware that requires a password to run and allows persistent access through SSH configurations. Patching the vulnerability did not disrupt the attackers' operations, as they have established other persistence mechanisms.
Pierluigi Paganini, a renowned security expert and researcher, recently shed light on an intriguing vulnerability exploitation scenario involving the Apache ActiveMQ message broker software. According to Paganini's latest article published on Security Affairs, a group of hackers successfully exploited a 2-year-old vulnerability in Apache ActiveMQ (CVE-2023-46604) to deploy the DripDropper malware on Linux systems, further highlighting the importance of keeping up-to-date with security patches.
This vulnerability has been identified as having a CVSS score of 10.0, making it one of the most severe vulnerabilities in the Apache ActiveMQ software. Paganini's research indicates that attackers employed this exploit to gain persistence on cloud-based Linux systems and deploy DripDropper malware, which is designed to provide remote access to compromised systems.
In a surprising twist, the hackers patched the vulnerability post-exploitation, not only to evade detection but also to block potential rival adversaries from exploiting the same flaw. By replacing the existing JAR files with legitimate patches, the attackers effectively secured their foothold on the compromised system, making it more difficult for defenders to detect and respond to the threat.
The use of post-exploitation patching techniques in this scenario highlights the sophistication and adaptability of modern threat actors. These actors continually seek ways to stay one step ahead of security measures, often leveraging vulnerabilities that have already been patched or are no longer considered high-risk.
To gain persistence on cloud Linux systems, attackers used tools like Sliver and Cloudflare Tunnels. In one instance, they even altered SSH settings to allow root logins, providing them with full control over the compromised system. The deployment of DripDropper malware added another layer of persistence, allowing the attackers to persistently access the compromised system.
The DripDropper malware is a stealthy Linux malware packaged as an encrypted PyInstaller ELF that requires a password to run. It connects to a Dropbox account via a hardcoded token and drops two malicious files. The first file varies in behavior, such as process monitoring or fetching more commands, while the second file tampers with SSH configurations, enabling persistent access through accounts like games.
In a striking example of post-exploitation patching, the attackers downloaded two ActiveMQ JAR files from repo1.maven.org, a domain belonging to Apache Maven. By deleting the existing JAR files and replacing them with legitimate patches, they effectively patched the already compromised system, reducing detection by common methods such as vulnerability scanners.
Red Canary researchers observed this technique while attempting to exploit other CVEs. However, they noted that patching the vulnerability does not disrupt their operations, as they have established other persistence mechanisms to maintain persistent access.
This case serves as a reminder of the importance of keeping up-to-date with security patches and being vigilant in monitoring for potential vulnerabilities. Securing cloud and *NIX-based environments demands a multi-layered approach, including regular vulnerability assessments, patch management, and behavioral analysis.
In conclusion, this article highlights the sophistication and adaptability of modern threat actors in exploiting vulnerabilities like CVE-2023-46604. The use of post-exploitation patching techniques by attackers adds another layer of complexity to security measures, emphasizing the need for ongoing vigilance and proactive risk management.
Related Information:
https://www.ethicalhackingnews.com/articles/Hackers-Utilize-Apache-ActiveMQ-Vulnerability-to-Deploy-DripDropper-Malware-via-Post-Exploitation-Patching-ehn.shtml
https://securityaffairs.com/181356/malware/hackers-deploy-dripdropper-via-apache-activemq-flaw-patch-systems-to-evade-detection.html
https://nvd.nist.gov/vuln/detail/CVE-2023-46604
https://www.cvedetails.com/cve/CVE-2023-46604/
Published: Thu Aug 21 12:20:47 2025 by llama3.2 3B Q4_K_M
