Threat actors are leveraging a critical vulnerability in Apache ActiveMQ, CVE-2023-46604, to gain unauthorized access to cloud Linux systems and deploy malware called DripDropper. These attackers have been observed patching the exploited vulnerability to prevent further exploitation by others. They utilize diverse command-and-control tools to maintain covert operations. The DripDropper downloader is employed to facilitate various malicious actions and blends in with normal network activity by communicating with a legitimate Dropbox account.
Threat actors have been exploiting a maximum-severity vulnerability in Apache ActiveMQ, CVE-2023-46604, since its discovery in October 2023, allowing remote code execution.
The attackers patch the vulnerability after gaining access, preventing other adversaries from exploiting it, and evade detection.
The malware DripDropper is deployed, requiring a password for execution and communicating with a Dropbox account to blend in with normal traffic.
Red Canary reported the use of various command-and-control tools, illustrating a sophisticated level of persistence and covert operations by the threat actors.
Collection
[
|
...
]