Overview
- Red Canary reports active intrusions against cloud Linux servers using CVE-2023-46604 in Apache ActiveMQ nearly two years after a fix became available.
- After initial access, the intruders download legitimate ActiveMQ JARs from Apache Maven to overwrite the vulnerable files, effectively applying the vendor patch.
- Persistence is maintained by enabling root logins in sshd, modifying SSH settings such as the games account shell, and establishing cron-based execution via 0anacron.
- DripDropper is an encrypted PyInstaller ELF that requires a password, contacts a Dropbox account via a hardcoded bearer token, and drops two additional files for ongoing control.
- Observed tooling includes Sliver and Cloudflare Tunnels, and defenders are urged to patch ActiveMQ, harden SSH, restrict service exposure, improve logging, and use policy automation to detect tampering.