Particle.news
Download on the App Store
6 ARTICLES
·
last wk.

Attackers Exploit ActiveMQ Flaw, Deploy DripDropper, Then Patch the Hole

Researchers say the operators close the exploited flaw to conceal entry, preserving exclusive control.

Image
New DripDropper Malware Exploits Linux Flaw Then Patches It Lock Rivals Out
Image
Image

Overview

  • Red Canary reports active intrusions against cloud Linux servers using CVE-2023-46604 in Apache ActiveMQ nearly two years after a fix became available.
  • After initial access, the intruders download legitimate ActiveMQ JARs from Apache Maven to overwrite the vulnerable files, effectively applying the vendor patch.
  • Persistence is maintained by enabling root logins in sshd, modifying SSH settings such as the games account shell, and establishing cron-based execution via 0anacron.
  • DripDropper is an encrypted PyInstaller ELF that requires a password, contacts a Dropbox account via a hardcoded bearer token, and drops two additional files for ongoing control.
  • Observed tooling includes Sliver and Cloudflare Tunnels, and defenders are urged to patch ActiveMQ, harden SSH, restrict service exposure, improve logging, and use policy automation to detect tampering.