Threat actors are exploiting a critical vulnerability in Apache ActiveMQ (CVE-2023-46604) to compromise cloud-based Linux systems, gain persistent access, and deploy a previously unknown downloader dubbed DripDropper. In a calculated twist, the attackers are patching the very flaw they exploit to prevent rival intrusions and hide their own tracks.
The exploited bug is a remote code execution flaw patched by Apache in October 2023. Despite this, attackers are leveraging unpatched systems to establish control, modify SSH configurations to allow root login, and install DripDropper—a password-protected PyInstaller ELF binary that communicates with Dropbox to retrieve and execute further payloads. These payloads differ by endpoint and can enable actions like process monitoring and persistent C2 communication via Dropbox.
Persistence is ensured by altering cron files and SSH configurations across multiple directories. After achieving foothold and installing backdoors, the attackers download patches from Apache Maven to close CVE-2023-46604, eliminating the original access vector while retaining long-term control. This tactic mirrors behavior seen in other advanced campaigns, including recent Chinese-linked activity reported by France’s ANSSI.
The incident highlights the importance of timely patching, limiting access via IP allowlists or VPNs, and vigilant cloud environment monitoring. It also underscores a growing trend: attackers using legitimate services like Dropbox and Cloudflare Tunnels to evade detection and maintain a low profile within compromised environments.
Medical IT admins and security engineers should keep close tabs on ActiveMQ, as the messaging broker is commonly used middleware used in healthcare workflows. Healthcare systems often involve various applications, like electronic health records (EHRs), laboratory information systems (LIS), and picture archiving and communication systems (PACS), that need to exchange data. ActiveMQ often acts as a central hub, allowing these systems to communicate with each other through standardized messaging protocols.
