An attacker is breaching Cloud Linux servers using Dropbox to exploit and then patch a two-year old Apache vulnerability.

The attacker, discovered by Red Canary, is using a vulnerability, CVE-2023-46604, with Java-based message broker Apache ActiveMQ to breach servers and install a loader given the name DripDropper.

Researchers found that after deploying DripDropper, attackers were downloading the patch for the bug and replacing vulnerable components to “lock the door” they used to get in.

See also: France says Chinese hackers used Ivanti zero-days to breach government systems

Red Canary said the method was “a great way to potentially lock out other adversaries, ensuring their foothold remains exclusive” and obscure the initial access technique.

The idea of hackers self-patching is not new. It was previously seen during attacks on a trio of Ivanti CSAs in 2024, where it was used to sell access to breached servers.

Increased adoption of the tactic should encourage administrators to verify how issues were patched when completing scans, said Red Canary, with answers found in “documentation from a healthy change management approach.”

How does DripDropper work?

In this campaign, after gaining access to the system, threat actors were seen installing command and control tools including Sliver and using Cloudflare tunnels to maintain long-term control and deploy DripDropper.

Once DripDropper, an encrypted PyInstaller Executable and Linkable Format file, is installed, the loader communicates with the threat actor’s Dropbox account to create malicious files.

Researchers said the use of a PyInstaller ELF file to target encrypted Linux systems is particularly rare.

See also: Why a Linux distro becoming a CNCF project matters

The first file dropped by the loader changes depending on the circumstances of a breached system, but DripDropper will often modify an 0anacron file in each affected /etc/cron.*/ directory to establish persistence.

The second file is given a random eight-character alphabetical name and will contact the Dropbox account again for further commands, which usually involve modifying existing SSH configuration files.

Specifically, researchers observed modifications to the default login shell for user account “games” to /bin/sh, likely providing a new access point via the games account for the attacker to issue shell commands.

Please, please, please patch your systems

The new attacker is just the latest to exploit CVE-2023-46604 to deploy malware, with TellYouThePass, RansomHub, HelloKitty and Kinsig all seen to be deployed via the vulnerability.

RedCanary said this campaign used familiar Linux-focussed tactics including using scheduled tasks to achieve persistent control through command and control channels used by legitimate traffic.

The issue yet again highlights the importance of patching sensitive services and monitoring logs to identify breaches, with researchers spotting DripDropper while monitoring cloud Linux systems.

The link has been copied!