Intruders exploiting Apache ActiveMQ vulnerability seal the breach once inside, mending a critical flaw
In recent developments, cybercriminals have been actively exploiting a critical vulnerability (CVE-2023-46604) in the open source Apache ActiveMQ middleware. This remote code execution (RCE) flaw, rated as a perfect 10 by Apache, has been a cause for concern since it was patched way back in late October 2023.
Despite the patch being available for over a year, a significant number of vulnerable systems remain, due to IT departments being perpetually overstretched when it comes to patching. This situation has allowed attackers to capitalise on the flaw, gaining root access to target machines by modifying the sshd configuration file with a Sliver implant.
Once they have established persistence on Linux servers, the attackers download two Java Archive (JAR) files to patch the original vulnerability. One of these malware variants is DripDropper, a new form of Linux malware that is password protected, making it harder for researchers to access and analyze.
The Red Canary team has published a report detailing their findings about DripDropper. According to Brian Donohue, a principal researcher at Red Canary, this type of behaviour is rare and customised.
Attackers deliver new payloads after installing malware on the system, which could include uploading information-stealing code, installing ransomware, or downloading network access tools. DripDropper establishes persistent execution by modifying the 0anacron file in each /etc/cron.*/ directory.
The current status of the CVE-2023-46604 vulnerability is that it remains actively exploited by threat actors in the wild, particularly targeting cloud Linux environments. This ongoing exploitation underscores the critical need for timely patching and multi-layered defence strategies, especially for cloud-based and Linux systems running Apache ActiveMQ.
To protect systems, organisations should apply patches immediately, restrict network access, monitor for suspicious activity, deploy security controls, conduct logging and auditing, and consider using Endpoint Detection and Response (EDR) tools, Web Application Firewalls (WAFs), and threat hunting for Indicators of Compromise (IOCs) related to this vulnerability and malware.
[1] Red Canary Report: DripDropper Linux Malware [2] Oracle's tardy software fixes and the need to rethink security strategies [3] Apache ActiveMQ Vulnerability (CVE-2023-46604) Patch Released [4] DripDropper: A New Linux Malware on the Block [5] The Impact of CVE-2023-46604 Exploitation on Cloud Linux Environments
Read also:
- Greece pursuing building techniques without the use of traditional heating methods
- United States Postal Service Upcoming Price Hikes for Festive Delivery: Essential Details and Amounts Disclosed
- Substantial Interest in Biostimulants Maintained Despite a Significant 86% Decrease in Funding for the Sector
- Strategies for Managing Feeling of Being the Only Friend in a Group
