Threat actors are taking advantage of the security flaws of almost two years ago in Apache ActiveMQ to gain permanent access to Cloud Linux systems and deploying malware called DripDropper.
However, with an anomalous twist, it has been observed that unknown attackers patched exploited vulnerabilities after ensuring initial access to prevent further exploitation by other enemies and avoid detection.
“The hostile command and control (C2) tools that contain slivers vary by endpoint, depending on the CloudFlare tunnel to maintain long-term secret command and control,” said researchers Christina Johns, Chris Brook and Tyler Edmonds.
The attack takes advantage of the maximum focus security flaw of Apache ActiveMQ (CVE-2023-46604, CVSS score: 10.0). It was dealt with in late October 2023.
The security flaws have since been under intense exploitation, and multiple threat actors have leveraged it to deploy a wide range of payloads, including Hellokitty Ransomware, Linux Rootkits, Gotitan Botnet malware, and Godzilla Web Shell.
Attack activity detected by Red Canary has been observed by threat actors leveraging access to modify existing SSHD configurations to enable root logins, allowing increased access to drop previously unknown downloader dubbed Dripdroppers.
DripDropper, a Pyinstaller executable and Linkable Format (ELF) binary, must run a password to resist analysis. We also communicated with attacker-controlled Dropbox accounts and once again explained how threat actors are increasingly dependent on legitimate services, merging with regular network activity and side step detection.
Ultimately, it acts as a conduit for two files. One of them makes various action sets easy on a variety of endpoints, from monitoring processes to contacting Dropbox. The persistence of dropped files is achieved by changing the 0anacron file, /etc/cron.daily, /etc/cron.weekly, /etc/cron.monthly directories that are present in /etc /cron.hourly.
The second file dropped by DripDropper is designed to contact Dropbox to receive commands, but the existing configuration files associated with SSH will also be modified. The final stage involves attackers downloading from Apache Maven Patches on CVE-2023-46604, effectively plugging the flaws.
“Patching a vulnerability does not disrupt the operation as other persistence mechanisms have already been established for continuous access,” the researchers said.
It’s certainly rare, but this technique is nothing new. Last month, French national cybersecurity agency Anssi detailed early access brokers in China and nexus, which adopted the same approach to ensure access to the system and prevent other threat actors from masking the initial access vectors that were first used using the drawbacks.
This campaign provides timely reminders of why your organization needs to patch in a timely manner, restricts access to internal services by configuring ingress rules to a trusted IP address or VPN, monitoring logging in your cloud environment and flags outliers activity.
Source link
