Overview

• Researchers observed exploitation of CVE-2023-46604 followed by replacement of vulnerable ActiveMQ JARs with legitimate Apache Maven files to block rivals and evade scanners.
• After initial access, attackers used Sliver and Cloudflare Tunnels and modified sshd settings to enable root logins for persistent, high-privilege control.
• The previously unknown downloader DripDropper, an encrypted PyInstaller ELF requiring a password, communicates with a Dropbox account via a hardcoded bearer token.
• DripDropper drops two files for persistence and control, including cron-based tasks (such as changes to 0anacron directories) and further SSH configuration tweaks, with one case leveraging the ‘games’ user.
• Defenders are urged to verify and patch ActiveMQ, disable root SSH access, run services as non-root, restrict ingress to trusted sources, use policy-based automation (e.g., Ansible, Puppet), monitor cloud logs, and follow CISA KEV guidance.