Unveiling a New Cyber Threat Tactic

A shocking new tactic has emerged in the world of cybercrime: attackers are now patching vulnerabilities post-exploitation. This chilling strategy was uncovered by researchers at Red Canary, revealing a bid by cybercriminals to lock out rivals and maintain exclusive access to compromised systems.

The Vulnerability in Question: CVE-2023-46604

The exploit stems from a serious flaw in Apache ActiveMQ, an open-source message broker, referred to as CVE-2023-46604. This critical vulnerability permits remote code execution (RCE) on cloud-based Linux systems and was publicly revealed in October 2023. Despite being patched, the exploit remains a target for cybercriminals, facilitating attacks such as ransomware and cryptomining.

A Disturbing Discovery

In a recent incident documented by Red Canary, cybercriminals took an alarming step after exploiting the vulnerability: they downloaded two ActiveMQ JAR files to overwrite the vulnerable versions, effectively patching the exploit. This move not only barred access to other attackers but also aimed to minimize detection by security scanners.

Tactics to Elude Detection

Researchers speculate that this tactic was utilized to prevent detection by defenders, especially in a landscape filled with competing adversaries. As Red Canary stated in an August 19 report, the patching maneuver did not disrupt the attackers' ongoing operations, thanks to their established persistence mechanisms.

Introducing DripDropper: The Latest Downloader

Moreover, after initial access, these hackers unleashed a potentially harmful downloader known as 'DripDropper' on a series of weak cloud-based Linux endpoints. The command and control (C2) tools employed varied from endpoint to endpoint, including Sliver and Cloudflare tunnels.

Root Access for Total Control

In one chilling instance, after deploying the Sliver implant, the attackers modified the sshd configuration file, allowing root access. With this move, they could exert complete control over the compromised systems, engaging in malicious activities undetected.

The DripDropper's Malicious Mission

DripDropper, once downloaded, functions as an encrypted PyInstaller executable, establishing communication with a hacker-controlled Dropbox account. This communication results in the creation of two harmful files that not only facilitate process monitoring but also prepare the system for sustained access by altering user account settings.

Heightening Security Measures

The alarming revelations surrounding the sshd targeting underscore the vulnerabilities present in web servers operating on cloud-based Linux systems. In response, researchers at Red Canary have outlined critical recommendations aimed at fortifying security against such sophisticated threats.