{"id":6284,"date":"2025-08-20T10:04:26","date_gmt":"2025-08-20T10:04:26","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/08\/20\/hackers-exploiting-apache-activemq-vulnerability-to-gain-access-to-cloud-linux-systems\/"},"modified":"2025-08-20T10:04:26","modified_gmt":"2025-08-20T10:04:26","slug":"hackers-exploiting-apache-activemq-vulnerability-to-gain-access-to-cloud-linux-systems","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/08\/20\/hackers-exploiting-apache-activemq-vulnerability-to-gain-access-to-cloud-linux-systems\/","title":{"rendered":"Hackers Exploiting Apache ActiveMQ Vulnerability to Gain Access to Cloud Linux Systems"},"content":{"rendered":"

Hackers Exploiting Apache ActiveMQ Vulnerability to Gain Access to Cloud Linux Systems
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

A sophisticated campaign uncovered where adversaries are exploiting CVE-2023-46604, a critical remote code execution vulnerability in Apache ActiveMQ, to compromise cloud-based Linux systems.<\/p>\n

In this case, attackers are patching the very vulnerability they exploited to maintain exclusive access and evade detection, demonstrating advanced operational security practices<\/a> typically reserved for nation-state actors.<\/p>\n

Key Takeaways<\/mark><\/strong>
1. Attackers exploit an Apache ActiveMQ vulnerability for remote access to cloud Linux systems.
2. Hackers patch the vulnerability after compromise to prevent detection.
3. New malware uses Dropbox for C2 and modifies SSH for persistent backdoor access.<\/pre>\n
New \u2018DripDropper\u2019 Malware Deployed<\/strong><\/h2>\n
The campaign targets Apache ActiveMQ, a widely used open source message broker written in Java, leveraging CVE-2023-46604 to execute arbitrary code on vulnerable systems.\u00a0<\/p>\n
Red Canary detected<\/a> adversaries conducting discovery commands across dozens of cloud-based<\/a> Linux endpoints, with the vulnerability carrying a 94.44 percent likelihood of exploitation according to its EPSS score.\u00a0<\/p>\n
Security researchers have previously documented this vulnerability being exploited to deploy various malware families, including TellYouThePass, Ransomhub, HelloKitty ransomware, and Kinsing cryptocurrency miners.<\/p>\n
After gaining initial access, the attackers deploy sophisticated command and control infrastructure using legitimate tools like Sliver implants and Cloudflare Tunnels to maintain persistent access.\u00a0<\/p>\n
The adversaries modify SSH daemon configurations by enabling root login access, which is typically disabled by default in modern Linux<\/a> distributions, granting them the highest level of system privileges.<\/p>\n
The threat actors deploy a previously unknown malware strain dubbed \u201cDripDropper,\u201d described as an encrypted PyInstaller ELF (Executable and Linkable Format) file that requires a password to execute, hindering automated sandbox analysis.\u00a0<\/p>\n
DripDropper communicates with adversary-controlled Dropbox accounts using hardcoded bearer tokens, leveraging legitimate cloud services to blend malicious traffic with normal network activity.<\/p>\n
The malware establishes persistence by modifying the 0anacron file in \/etc\/cron.*\/ directories and creates two additional malicious files with randomized eight-character alphabetical names.\u00a0<\/p>\n
\n\n\n\n\n\n\n\n
Risk Factors<\/strong><\/td>\nDetails<\/strong><\/td>\n<\/tr>\n
Affected Products<\/td>\nApache ActiveMQ (open source message broker)<\/td>\n<\/tr>\n
Impact<\/td>\nRemote Code Execution (RCE)<\/td>\n<\/tr>\n
Exploit Prerequisites<\/td>\nNetwork access to vulnerable ActiveMQ service<\/td>\n<\/tr>\n
CVSS 3.1 Score<\/td>\n9.8 (Critical)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n
These secondary payloads alter SSH configuration files and modify the default login shell for the \u2018games\u2019 user account to \/bin\/sh, preparing the system for sustained remote access.<\/p>\n
Most notably, the attackers download legitimate Apache ActiveMQ JAR files from repo1[.]maven[.]org and replace the vulnerable components, effectively patching CVE-2023-46604 after exploitation.\u00a0<\/p>\n
This technique prevents other adversaries from exploiting the same vulnerability and reduces the likelihood of detection through vulnerability scanners<\/a>, ensuring their exclusive control over compromised systems.<\/p>\n
Organizations must implement comprehensive security strategies that go beyond traditional vulnerability management, including robust logging, configuration monitoring, and the principle of least privilege across their Linux and cloud environments.<\/p>\n
Safely detonate suspicious files to uncover threats, enrich your investigations, and cut incident response time.\u00a0Start with an\u00a0ANYRUN sandbox trial<\/a>\u00a0\u2192\u00a0<\/code><\/strong><\/p>\n
The post Hackers Exploiting Apache ActiveMQ Vulnerability to Gain Access to Cloud Linux Systems<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n
 \t

\n 
<\/BR>
\n    Florence Nightingale
\n \t

\n
<\/BR>
\nGo to cyber-security-news<\/a>
\n \t

\n 
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"
Hackers Exploiting Apache ActiveMQ Vulnerability to Gain Access to Cloud Linux Systems A sophisticated campaign uncovered where adversaries are exploiting CVE-2023-46604, a critical remote code execution vulnerability in Apache ActiveMQ, to compromise cloud-based Linux systems. In this case, attackers are patching the very vulnerability they exploited to maintain exclusive access and evade detection, demonstrating advanced […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[63,258,131,648],"tags":[130],"class_list":["post-6284","post","type-post","status-publish","format-standard","hentry","category-cyber-security-news","category-malware","category-vulnerability","category-vulnerability-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/6284"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=6284"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/6284\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=6284"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=6284"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=6284"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}