Exploitation of Apache ActiveMQ Vulnerability Leads to DripDropper Malware Deployment on Cloud Linux Systems

August 19, 2025
Linux / Malware

Threat actors are leveraging a nearly two-year-old security vulnerability in Apache ActiveMQ to gain persistent access to cloud-based Linux systems and install the DripDropper malware. In an unexpected turn, these unidentified attackers have been seen patching the exploited vulnerability after gaining access, likely to prevent further exploitation by others and to evade detection, according to a report from Red Canary shared with The Hacker News. “Follow-on command-and-control (C2) tools varied by endpoint and included Sliver and Cloudflare Tunnels, allowing for covert long-term control,” researchers Christina Johns, Chris Brook, and Tyler Edmonds noted.

The attacks exploit a critical security flaw in Apache ActiveMQ (CVE-2023-46604, CVSS score: 10.0), a remote code execution vulnerability that enables the execution of arbitrary shell commands. This issue was addressed in late October 2023 but has since faced significant exploitation.

Exploitation of Apache ActiveMQ Vulnerability Leads to DripDropper Malware Deployment on Cloud Linux Systems

August 19, 2025

In a troubling development for cybersecurity, threat actors are leveraging a significant vulnerability in Apache ActiveMQ, which has been known for nearly two years, to compromise cloud-based Linux systems. Their primary aim is the installation of DripDropper malware, a tactic that not only allows for persistent access but also complicates defensive responses. This information comes from a recent report by Red Canary, which shed light on the peculiar behaviors exhibited by the attackers. Notably, after initially breaching the systems, these sophisticated adversaries appear to be patching the exploited vulnerability themselves, presumably to thwart the efforts of other malicious actors and enhance their chances of remaining undetected.

The vulnerability being exploited is classified as CVE-2023-46604, with a maximum CVSS score of 10.0, indicating its critical severity. This remote code execution flaw allows attackers to execute arbitrary shell commands on compromised systems. Notably, the vulnerability was addressed in a security update released in late October 2023, yet subsequent evidence suggests that it has been subject to heavy exploitation since that time.

The targets of this malicious campaign are primarily organizations utilizing cloud Linux platforms, which have become increasingly popular due to their scalability and flexibility. The attackers’ methodical approach raises significant concerns about the security of cloud infrastructures and the ongoing risks associated with unpatched vulnerabilities.

Further investigation reveals that the tactics employed by these adversaries align with several key techniques from the MITRE ATT&CK framework. Initial access likely involved exploiting the aforementioned vulnerability, allowing the attackers to embed themselves within the affected systems. Following this, the implementation of command-and-control tools such as Sliver and Cloudflare Tunnels suggests an emphasis on maintaining long-term covert operations. These tools provide the necessary infrastructure for persistence and command execution, ensuring that the attackers retain control over the compromised systems despite potential cleanup efforts.

Additionally, the actions of the attackers post-compromise indicate sophisticated tactical planning. By proactively patching the exploited vulnerability, they reduce the risk of detection and ongoing mitigation efforts by security teams. This unusual behavior not only highlights their intent to maintain control but also reflects a strategic approach to minimizing their operational risks.

As businesses continue to migrate to cloud environments, the risks associated with vulnerabilities like CVE-2023-46604 underline the importance of diligent patch management and robust security practices. Organizations must remain vigilant and proactive in addressing known vulnerabilities to safeguard their infrastructures from evolving cyber threats.

In summary, the exploitation of the Apache ActiveMQ vulnerability serves as a stark reminder of the ever-present risks tied to cybersecurity. As attackers become more adept at leveraging security flaws for their benefit, it is imperative for business owners to prioritize the protection of their digital assets through ongoing vigilance and responsive security measures. The implications of such incidents extend beyond immediate damage, affecting the integrity of entire systems and potentially impacting numerous stakeholders.

Source link

Related Posts

FBI Alerts on FSB-Linked Hackers Targeting Unpatched Cisco Devices for Cyber Espionage

Date: Aug 20, 2025 | Cyber Espionage / Vulnerability

A state-sponsored Russian hacking group, identified as Static Tundra, is exploiting a seven-year-old vulnerability in Cisco IOS and Cisco IOS XE software to gain persistent access to targeted networks. Cisco Talos revealed that these attacks are primarily aimed at telecommunications, higher education, and manufacturing sectors across North America, Asia, Africa, and Europe. Potential victims are selected based on their “strategic interest” to Russia, with recent targets focusing on Ukraine and its allies amid the ongoing Russo-Ukrainian conflict. The exploited vulnerability, CVE-2018-0171 (CVSS score: 9.8), is a critical flaw in the Smart Install feature of Cisco software, which may allow unauthorized remote attackers to initiate denial-of-service (DoS) attacks or execute arbitrary code.

🔍 Webinar: Uncover and Manage Hidden AI Agents in Your Enterprise Before Hackers Do

📅 Aug 20, 2025
Category: Artificial Intelligence / Enterprise Security

Do you know how many AI agents are currently operating within your organization? If you’re uncertain, you’re not alone—and that’s a significant concern. Every day, AI agents are being deployed across various industries, often initiated by business units eager for quick results, rather than just by IT. This creates a scenario where agents operate unnoticed—without proper identification, ownership, or activity logs. Essentially, they remain invisible.

👉 Register now for “Shadow Agents and Silent Threats: Securing AI’s New Identity Frontier” to learn how to proactively address this escalating issue.

The Hidden Dangers of Shadow AI Agents

Shadow agents aren’t merely benign assistants. If compromised, they can navigate through systems effortlessly, accessing sensitive data or elevating privileges at machine speed. Unlike humans, they are relentless, working around the clock without hesitation.

The reality is that most security programs weren’t designed to handle this challenge. They focus on managing people, not autonomous software agents. As the use of AI continues to rise, these circumstances pose a significant threat.

DOM-Based Clickjacking Vulnerability Threatens Popular Password Managers, Exposing Users to Credential and Data Theft

AUGUST 20, 2025
Vulnerability / Browser Security

Recent findings reveal that widely used password manager browser extensions are vulnerable to DOM-based clickjacking attacks, which can compromise users’ account credentials, two-factor authentication (2FA) codes, and credit card information under specific conditions. Independent security researcher Marek Tóth highlighted this risk during his presentation at DEF CON 33 earlier this month. “With just a single click on an attacker-controlled site, users’ sensitive data—including credit card details, personal information, and login credentials (including TOTP)—can be stolen,” Tóth explained. This new technique is versatile and could potentially target other extension types as well. Clickjacking, also known as UI redressing, involves manipulating users into executing seemingly benign actions on a website, while the real intent is to hijack their information.

Scattered Spider Hacker Sentenced to 10 Years, Ordered to Repay $13M for SIM Swapping Crypto Theft

A 20-year-old member of the infamous cybercrime group Scattered Spider has received a ten-year prison sentence in the U.S. for his role in a series of high-profile hacks and cryptocurrency thefts. Noah Michael Urban, who pleaded guilty to wire fraud and aggravated identity theft in April 2025, will also face three years of supervised release and is required to pay $13 million in restitution to his victims. Urban, who used multiple aliases including Sosa and King Bob, was apprehended by U.S. authorities in Florida in January 2024, following crimes committed between August 2022 and March 2023 that resulted in the theft of over $800,000. In a statement to security journalist Brian Krebs, Urban decried the sentence as unjust.