A recent campaign discovered by cybersecurity company Red Canary found threat actors targetting cloud-based Linux systems running Apache ActiveMQ, exploiting a critical vulnerability to gain acces but then patching the vulnerability themselves, making their presence hard to spot.
The hackers took advantage of a flaw in Apache ActiveMQ that allowed them to remotely execute commands on unpatched systems. After breaking in, they ran system discovery tools and installed a custom malware tool dubbed “DripDropper.”
The DripDropper malware is designed to be difficult to detect and analyze. It communicates with Dropbox, a legitimate cloud platform, to receive instructions and potentially exfiltrate data. The malware also changes scheduled task files and SSH settings on the server, ensuring the attackers can get back in even if other entry points are closed.
Self-Patching
In a twist, after establishing control, the attackers downloaded and applied the official patch for the same vulnerability they used to get in. By doing this, they blocked other attackers from exploiting the same flaw and reduced the chance that defenders would notice the initial breach—since a patched system won’t raise red flags in most vulnerability scans.
This campaign underscores how relying solely on patch status and vulnerability scans can be risky. Attackers increasingly use legitimate tools and techniques to blend in and hide their activity.
Along with restricting remote access and root login, and monitoring and reviewing logs for unexpected configuration or task changes, also keep records when patching systems of who is making changes and why.
Hackers are always looking for new ways to hide, so defenders need to combine strong patch management with ongoing monitoring and access controls.
For a deeper look, read Red Canary’s full analysis here.
Leave a Reply