This I have to admit is a new one. Security researchers detected an attacker exploiting Apache ActiveMQ, a popular open-source message broker, a security hole that is detailed in CVE-2023-46604, to gain persistent access on cloud Linux systems. The new part is that the attacker is apparently patching the vulnerability after securing initial access to secure their foothold and evade detection as per this: https://redcanary.com/blog/threat-intelligence/dripdropper-linux-malware/
Finally, the adversary used curl to download two ActiveMQ JAR files from repo1[.]maven[.]org, a domain belonging to Apache Maven. These two JAR files constitute a legitimate patch for CVE-2023-46604. By deleting the existing JAR files and replacing them, the adversary effectively patched the already compromised system. We assess the adversary likely did this to reduce detection via common methods, such as vulnerability scanners, and to effectively reduce the likelihood of being spotted by defenders due to another adversary being detected when attempting to exploit the vulnerability.
Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, commented:
“I’m not sure I’ve heard of automated malware that patched the vulnerability it used to break in, except maybe once before back in the 1990s, when two computer virus groups were battling it out for global control using the same software vulnerability. It definitely isn’t common. I have, however, myself, been involved in a few consulting engagements over the years where human hackers broke in and patched the exploits. Once, when I was with Microsoft, I was hired to help consult with a customer that was mad that Microsoft was applying a patch that they had configured NOT to apply. It was a controversial patch at the time (it disabled the otherwise default autorun feature in Microsoft Windows when mobile media was inserted into a computer). A lot of customers were mad that Microsoft was disabling autoruns, so Microsoft configured the patch to not automatically deploy if a particular related registry entry was enabled. Well, for this particular customer, the patch kept applying. They would then uninstall the patch, make sure the related registry entry was made, and then come back in the next day to find the patch re-applied. Boy, they were mad. When I showed up, I quickly discovered that a hacker group had broken in using the vulnerability, and they were trying to apply the patch to disable the autoruns feature to prevent other groups. Boy, was that client feeling mea culpa.
“I said it then, and I’ll say it now, “If hackers are doing your patching faster than you are, you aren’t doing it right!” This is yet another argument for default auto-patching without admin involvement. We’ve yet again seen serious vulnerabilities that have not been patched years later. It’s all too common.”
Ensar Seker, CISO at SOCRadar,commented:
“This DripDropper campaign markedly elevates threat actor tradecraft to a new level. Exploiting CVE‑2023‑46604 in ActiveMQ to gain entry is already alarming but what really makes this stand out is the attacker patching the vulnerability after establishing access. By fixing the very hole they exploited, they lock out other intruders and obscure the original attack vector, diminishing detection chances and confusing defenders.”
“From there, adversaries lay deep roots. They deploy Sliver implants or Cloudflare Tunnels, misconfigure SSH to allow root access, and install DripDropper, a cunning, encrypted downloader tied to Dropbox for stealthy payload delivery. This multilayered approach, patching the entry flaw, escalating privileges, and establishing resilient covert channels, underscores how critical it is to enforce timely patching, enforce least privilege (especially in SSH configs), and continuously monitor for anomalous tools like cron jobs or unusual Dropbox communications in cloud environments.”
I have to admit that this is pretty crafty because this could allow them to remain undetected for extended periods of time. It illustrates that you need to shift your tactics to find threat actors because they’re shifting their tactics to pwn you.
Like this:
Like Loading...
Related
This entry was posted on August 20, 2025 at 8:35 am and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
‘DripDropper’ Hackers Patch Their Own ActiveMQ Exploit
This I have to admit is a new one. Security researchers detected an attacker exploiting Apache ActiveMQ, a popular open-source message broker, a security hole that is detailed in CVE-2023-46604, to gain persistent access on cloud Linux systems. The new part is that the attacker is apparently patching the vulnerability after securing initial access to secure their foothold and evade detection as per this: https://redcanary.com/blog/threat-intelligence/dripdropper-linux-malware/
Finally, the adversary used
curlto download two ActiveMQ JAR files fromrepo1[.]maven[.]org, a domain belonging to Apache Maven. These two JAR files constitute a legitimate patch for CVE-2023-46604. By deleting the existing JAR files and replacing them, the adversary effectively patched the already compromised system. We assess the adversary likely did this to reduce detection via common methods, such as vulnerability scanners, and to effectively reduce the likelihood of being spotted by defenders due to another adversary being detected when attempting to exploit the vulnerability.Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, commented:
“I’m not sure I’ve heard of automated malware that patched the vulnerability it used to break in, except maybe once before back in the 1990s, when two computer virus groups were battling it out for global control using the same software vulnerability. It definitely isn’t common. I have, however, myself, been involved in a few consulting engagements over the years where human hackers broke in and patched the exploits. Once, when I was with Microsoft, I was hired to help consult with a customer that was mad that Microsoft was applying a patch that they had configured NOT to apply. It was a controversial patch at the time (it disabled the otherwise default autorun feature in Microsoft Windows when mobile media was inserted into a computer). A lot of customers were mad that Microsoft was disabling autoruns, so Microsoft configured the patch to not automatically deploy if a particular related registry entry was enabled. Well, for this particular customer, the patch kept applying. They would then uninstall the patch, make sure the related registry entry was made, and then come back in the next day to find the patch re-applied. Boy, they were mad. When I showed up, I quickly discovered that a hacker group had broken in using the vulnerability, and they were trying to apply the patch to disable the autoruns feature to prevent other groups. Boy, was that client feeling mea culpa.
“I said it then, and I’ll say it now, “If hackers are doing your patching faster than you are, you aren’t doing it right!” This is yet another argument for default auto-patching without admin involvement. We’ve yet again seen serious vulnerabilities that have not been patched years later. It’s all too common.”
Ensar Seker, CISO at SOCRadar,commented:
“This DripDropper campaign markedly elevates threat actor tradecraft to a new level. Exploiting CVE‑2023‑46604 in ActiveMQ to gain entry is already alarming but what really makes this stand out is the attacker patching the vulnerability after establishing access. By fixing the very hole they exploited, they lock out other intruders and obscure the original attack vector, diminishing detection chances and confusing defenders.”
“From there, adversaries lay deep roots. They deploy Sliver implants or Cloudflare Tunnels, misconfigure SSH to allow root access, and install DripDropper, a cunning, encrypted downloader tied to Dropbox for stealthy payload delivery. This multilayered approach, patching the entry flaw, escalating privileges, and establishing resilient covert channels, underscores how critical it is to enforce timely patching, enforce least privilege (especially in SSH configs), and continuously monitor for anomalous tools like cron jobs or unusual Dropbox communications in cloud environments.”
I have to admit that this is pretty crafty because this could allow them to remain undetected for extended periods of time. It illustrates that you need to shift your tactics to find threat actors because they’re shifting their tactics to pwn you.
Share this:
Like this:
Related
This entry was posted on August 20, 2025 at 8:35 am and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.