A particularly dangerous security vulnerability in Apache ActiveMQ, known as CVE-2023-46604, is under active exploitation by a variety of threat actors. This vulnerability provides bad actors ongoing access to cloud Linux environments. Threat actors can use this access to deploy different types of malware, including the recently discovered DripDropper downloader.
This is a dangerous loophole as it opens up the door for delivery of many different payloads. Beyond these payloads lie HelloKitty ransomware, Linux rootkits, GoTitan botnet malware and the Godzilla web shell. The quick attempts to take advantage of this security flaw underscore an immediate concern. Organizations that rely on Apache ActiveMQ need to take basic security precautions right away.
Persistent Threats and Modifications
Threat actors leveraging this vulnerability—namely, the Chinese government —have created advanced tactics, techniques, and procedures (TTPs) to persistently access vulnerable systems. An especially ingenious technique she discovered was changing default SSH daemon (sshd) configurations to allow an easy root login. This update gives it higher privileges, which attacker can leverage to drop the DripDropper malware onto the system.
DripDropper acts as a pipeline to get two other files into your hands. One of these files allows for unlimited destructive actions on nearly all endpoints. It watches processes on the computer and talks to Dropbox to know what to do next.
“Follow-on adversary command-and-control (C2) tools varied by endpoint and included Sliver and Cloudflare Tunnels to maintain covert command and control over the long term,” – Christina Johns, Chris Brook, and Tyler Edmonds.
The Impact of DripDropper
DripDropper is especially worrisome as it was unknown as a downloader beforehand. Once inserted into vulnerable systems it allows cybercriminals to install additional malicious software or participate in widespread espionage efforts. Organizations are feeling the harsh repercussions of this deadly malware. It continues to pose a massive operational risk and threat to sensitive data.
As Red Canary researchers have pointed out, even after a CVE is patched, threat actors frequently don’t stop their operations, giving up in the process. They have developed persistence mechanisms that provide alternative methods to maintain access to the systems they compromise.
“Patching the vulnerability does not disrupt their operations as they already established other persistence mechanisms for continued access,” – Red Canary researchers (Christina Johns, Chris Brook, and Tyler Edmonds).
Mitigation Strategies
Installs Regularly update all software and code, including libraries and plugins, and actively scan your systems for abnormal behavior to reduce the risk of an attack. In tandem, organizations should look to implement next-generation security solutions that can find and respond to day zero attacks.