{“lastseen”:”2025-08-19T19:08:52″,”description”:”\\n\\nThreat actors are exploiting a nearly two-year-old security flaw in Apache ActiveMQ to gain persistent access to cloud Linux systems and deploy malware called **DripDropper**.\\n\\nBut in an unusual twist, the unknown attackers have been observed patching the exploited vulnerability after securing initial access to prevent further exploitation by other adversaries and evade detection, Red Canary said in a report shared with The Hacker News.\\n\\n\\”Follow-on adversary command-and-control (C2) tools varied by endpoint and included Sliver, and Cloudflare Tunnels to maintain covert command and control over the long term,\\” researchers Christina Johns, Chris Brook, and Tyler Edmonds said.\\n\\nThe attacks exploit a maximum-severity security flaw in Apache ActiveMQ (CVE-2023-46604, CVSS score: 10.0), a remote code execution vulnerability that could be exploited to run arbitrary shell commands. It was addressed in late October 2023.\\n\\n\\n\\nThe security defect has since come under heavy exploitation, with multiple threat actors leveraging it to deploy a wide range of payloads, including HelloKitty ransomware, Linux rootkits, GoTitan botnet malware, and Godzilla web shell.\\n\\nIn the attack activity detected by Red Canary, the threat actors have been observed leveraging the access to modify existing sshd configurations to enable root login, granting them elevated access to drop a previously unknown downloader dubbed DripDropper.\\n\\nA PyInstaller Executable and Linkable Format (ELF) binary, DripDropper requires a password to run in a bid to resist analysis. It also communicated with an attacker-controlled Dropbox account, once again illustrating how threat actors are increasingly relying on legitimate services to blend in with regular network activity and sidestep detection.\\n\\nThe downloader ultimately serves as a conduit for two files, one of which facilitates a varied set of actions on different endpoints, ranging from process monitoring to contacting Dropbox for further instructions. Persistence of the dropped file is achieved by modifying the 0anacron file present in \/etc\/cron.hourly, \/etc\/cron.daily, \/etc\/cron.weekly, \/etc\/cron.monthly directories.\\n\\nThe second file dropped by DripDropper is also designed to contact Dropbox for receiving commands, while also altering existing configuration files related to SSH, likely as a backup mechanism for persistent access. The final stage entails the attacker downloading from Apache Maven patches for CVE-2023-46604, effectively plugging the flaw.\\n\\n\\”Patching the vulnerability does not disrupt their operations as they already established other persistence mechanisms for continued access,\\” the researchers said.\\n\\n\\n\\nWhile certainly rare, the technique is not new. Last month, France’s national cybersecurity agency ANSSI detailed a China-nexus initial access broker employing the same approach to secure access to systems and prevent other threat actors from using the shortcomings to get in and mask the initial access vector used in the first place.\\n\\nThe campaign offers a timely reminder for why organizations need to apply patches in a timely fashion, limit access to internal services by configuring ingress rules to trusted IP addresses or VPNs, and monitor logging for cloud environments to flag anomalous activity.\\n\\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.\\n”,”published”:”2025-08-19T17:37:00″,”modified”:”2025-08-19T17:37:37″,”type”:”thn”,”title”:”Apache ActiveMQ Flaw Exploited to Deploy DripDropper Malware on Cloud Linux Systems”,”source”:””,”references”:””,”id”:”THN:E9513E561E2190C1697874EEEDB02282″,”bulletinFamily”:”info”,”cwe”:null,”cvelist”:[“CVE-2023-46604″],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:10,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:C\/C:L\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/thehackernews.com\/2025\/08\/apache-activemq-flaw-exploited-to.html”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-08-19T19:08:52″,”description”:”\\n\\nThreat actors are exploiting a nearly two-year-old security flaw in Apache ActiveMQ to gain persistent access to cloud Linux systems and deploy malware called **DripDropper**.\\n\\nBut…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[9,6,8,36,12,13,7,11,43,5],"class_list":["post-13475","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-critical","tag-cve","tag-cvss","tag-cvss-100","tag-exploit","tag-news","tag-security","tag-tapic","tag-thn","tag-vulnerability"],"yoast_head":"\n