A threat actor has been observed “patching” a vulnerability post exploitation, likely in a bid to lock out other adversaries and secure exclusive access.
The novel tactic was detected by Red Canary researchers in a cluster of activity targeting a flaw in Apache ActiveMQ, an open-source message broker, to gain persistent access on cloud-based Linux systems.
The critical vulnerability, CVE-2023-46604, allows for remote code execution (RCE) in Linux systems due to inadequate validation of throwable class types in OpenWire commands. It was publicly disclosed in October 2023, with software updates issued to fix the bug.
Nearly two years after disclosure, the flaw is still widely targeted for malware deployment enabling attacks ranging from ransomware to cryptomining.
In a recent attack observed by Red Canary researchers, after gaining unrestricted access to a system, the threat actors downloaded two ActiveMQ JAR files, using them to replace the existing JAR files in the vulnerable version. This constitutes a legitimate patch for CVE-2023-46604.
In addition to shutting out competing threat actors, the researchers believe the attacker did the fix to reduce detection via common methods such as vulnerability scanners.
Additionally, the attackers reduce the likelihood of being spotted by defenders due to another adversary being detected when attempting to exploit the vulnerability.
“Patching the vulnerability does not disrupt their operations as they already established other persistence mechanisms for continued access,” the Red Canary researchers noted in the August 19 report.
“The patching of the vulnerability to prevent competition underscores how prevalent exploitation can be,” they added.
New Downloader Targets Cloud Linux Systems
After gaining initial access, the attackers were observed carrying out malicious activity on a handful of vulnerable cloud-based Linux endpoints, which included the use of a previously unknown downloader named ‘DripDropper’.
Follow-on adversary command and control (C2) tools varied by endpoint, and included Sliver and Cloudflare tunnels.
In one instance, after installing the Sliver implant, the threat actor modified the existing sshd configuration file to enable root login. This enabled them remote access with the highest level of privilege.
sshd is the OpenSSH server process, listening to incoming connections using the protocol and handles user authentication, encryption, terminal connections, file transfers and tunneling.
Under a new session started by sshd, the adversary downloaded DripDropper, an encrypted PyInstaller executable and linkable format file.
It communicates with an adversary-controlled Dropbox account using a hardcoded bearer token. This communication results in the creation of two malicious files, which undertake a range of actions including process monitoring, contacting the Dropbox account for further instructions and preparing the system for additional persistent access by altering the default login shell for user accounts.
Finally, a fix was applied to CVE-2023-46604 to further secure long-term access.
How to Protect Webservers in Cloud-Based Linux Systems
The Red Canary researchers said the targeting of sshd in the observed attack highlights the risks of vulnerable webservers in cloud-based Linux systems.
They set out a series of recommendations to enhance security against such threats:
- Enforce policy-based controls for web services such as sshd, leveraging tools like Ansible and Puppet to automatically heal misconfigurations adversaries make quickly
- Configure web services to run as non-root account to minimize the potential impact from compromise
- Enforce mandatory authentication
- Patch and secure vulnerable services using CISA’s Known Exploited Vulnerabilities (KEV) catalog
- Restrict network exposure by configuring ingress rules to trusted IP addresses or VPNs for internal services
- Implement a policy of least privilege for public-facing services