ZDNET’s key takeaways
- DripDropper exploits an old security hole.
- After infecting your server, DripDropper patches the hole, not that that will do you much good.
- Basic patch discipline would have stopped this exploit in its tracks.
The security company Red Canary<!–> has detected an attacker exploiting Apache ActiveMQ–>, a popular open-source message broker, security hole CVE-2023-46604<!–>, to gain persistent access on cloud Linux systems. So far, so much villainy as usual. Where DripDropper changes the game is that, once it’s in, it patches the security hole behind it.
Also: The best VPN services (and how to choose the right one for you)
This unusual, but not unheard of tactic, has two purposes. The first is to lock out other malware programs. The other is to mask its presence so you miss spotting its mischief. “It’s unusual to see adversaries ‘fix’ the very systems they’ve compromised, but this strategy ensures their access stays exclusive and makes initial exploitation harder to trace,” said the Red Canary team.
According to Red Canary, DripDropper has been working for a while. What’s especially annoying about this situation is that the security hole in the Java OpenWire protocol–> has been patched for almost two years. Why anyone would be running an ActiveMQ instance that has such a serious bug — the Apache Software Foundation gave it a maximum danger rating of 10 on the Common Vulnerability Scoring System (CVSS) scale — is beyond me.
Also: Cisco patches critical security hole in Firewall Management Center – act now
Needless to say, once in, DripDropper deploys Command and Control (C2) frameworks such as Sliver<!–> and Cloudflare Tunnels–> for long-term control. These are then used to alter Secure Shell SSH configuration files to permit root logins, thus granting the attacker the power to do whatever they want with what was your server.
<!–>
Under these new settings, the attacker finally drops and executes DripDropper. This is an encrypted PyInstaller–> ELF binary requiring a password to run. This approach makes reverse engineering difficult. DripDropper itself communicates with a Dropbox account via a hardcoded bearer token to begin its next step.
Also: This infamous people search site is back after leaking 3 billion records – how to remove your data from it ASAP
Typically, DropDropper then deploys two secondary malicious files:
- The first, whose name and location change based on execution arguments, may monitor processes or contact Dropbox for further instructions and is set to run persistently via cron jobs.
- The second is an eight-character random file, also connecting to Dropbox and tweaking SSH settings to enable further covert access through the ‘games’ user account.
Adopting public cloud storage for command and control mirrors tactics seen in high-profile malware families, such as CHIMNEYSWEEP<!–> and Mustang Panda–>. To cement their grip, for their final move, attackers download legitimate ActiveMQ JAR files from Apache’s Maven repository, overwriting the vulnerable originals.
After that step, the attacker can set your server to mine cryptocurrency, dig deeper into your network for potentially valuable content, or do whatever they please.
Also: Microsoft patches more than 100 Windows security flaws – update your PC now
So, what can you do about this issue? First, you must run an up-to-date and patched ActiveMQ.
You must also harden your host systems and employ policy-based tools, such as Ansible<!–> or Puppet,–> to promptly patch systems, with careful verification and documentation of patch origins. After all, just because you’re running up-to-date software doesn’t mean that some other malware program hasn’t patched you up to abuse your systems in peace.
Other steps include:
- Disable root SSH logins.
- Run web services under non-root accounts.
- Restrict network access using ingress rules, firewalls, and VPNs.
- Implement comprehensive logging for cloud activities to aid detection and forensic investigations.
Source: Robotics - zdnet.com
