Sophisticated Attackers Exploit Two-Year-Old Apache ActiveMQ Flaw to Deploy DripDropper Malware on Linux Cloud Systems

A nearly two-year-old vulnerability in Apache ActiveMQ is being actively exploited by malicious actors to gain persistent access to Linux cloud systems and deploy a malware known as DripDropper. According to Red Canary, the attackers are employing a sophisticated tactic of patching the exploited vulnerability post-compromise to prevent other threat actors from gaining access and to evade detection. Apache ActiveMQ is a widely used open-source message broker that supports the Java Message Service (JMS) API. Vulnerabilities in such critical infrastructure components can have far-reaching implications, as they are often integral to enterprise messaging systems. The exploitation begins with the attackers leveraging the unpatched vulnerability in Apache ActiveMQ to gain initial access to the target systems. Once inside, they deploy DripDropper, a malware whose exact capabilities are not yet fully disclosed but is likely designed for persistence and potentially further payload delivery. What sets this campaign apart is the attackers' post-exploitation behavior. By patching the vulnerability they exploited, they ensure that no other malicious actors can use the same entry point, thereby maintaining exclusive control over the compromised systems. This tactic also helps them avoid detection, as the patched vulnerability might not trigger any alerts from security monitoring tools. The impact of this campaign could be significant, particularly if the targeted systems are part of critical infrastructure or handle sensitive data. The sophistication demonstrated by the attackers in patching the vulnerability post-exploitation indicates a high level of operational security (OPSEC) awareness. For organizations using Apache ActiveMQ, it is crucial to ensure that all systems are updated with the latest security patches. Additionally, monitoring for unusual activities such as unauthorized access or unexpected patching of vulnerabilities can help detect potential compromises. This incident underscores the importance of timely patch management and the need for continuous monitoring of enterprise systems. It also highlights the evolving tactics of threat actors, who are increasingly adopting measures to maintain exclusivity and avoid detection.