An Apache ActiveMQ flaw is being actively exploited, in response to findings from Red Canary. Nonetheless, there may be an unconventional factor to this exploitation: the menace actors focusing on this flaw are additionally patching the exploited vulnerability after gaining preliminary entry, stopping different adversaries from leveraging it and avoiding detection.
Safety Leaders Weigh In
Neil Pathare, Affiliate Principal Advisor at Black Duck:
This comparatively uncommon method is utilized by persistent menace actors searching for to keep up unique entry to compromised methods whereas avoiding detection. Sadly, Safety engineers could mistakenly imagine their environments are “safe” just because they seem to have been patched —
conventional patch administration methods usually don’t report who utilized the patch. Adversary patching represents a classy menace, particularly in fast-moving, cloud-native setting and organizations ought to undertake a proactive strategy of structured log evaluations, forensic evaluation, or anomaly detection.
Jason Soroko, Senior Fellow at Sectigo:
Purple Canary’s discovering is a traditional case of patching for persistence. An adversary exploited the 2023 ActiveMQ RCE (CVE 2023 46604), established footholds with instruments like Sliver and Cloudflare Tunnels, then quietly changed the weak ActiveMQ JARs with mounted variations from the Apache Maven repo — closing the very gap they used so scanners and opportunistic rivals wouldn’t journey the alarm. On high of that, they hardened entry by enabling root logins over SSH and deploying a password gated PyInstaller ELF (“DripDropper”) that talks to Dropbox, with cron primarily based persistence through the `0anacron` scripts — tradecraft designed to mix in and stick round even after the vulnerability disappears from stories.
We’ve seen this tactic earlier than. Throughout the Citrix NetScaler/ADC CVE 2019 19781 wave, researchers documented ‘adversary patching’ and the NOTROBIN backdoor, which eliminated opponents’ webshells and altered parts so solely the intruder with a secret key may re enter — leaving victims ‘patched’ but nonetheless backdoored. Equally, authorities steerage throughout Log4Shell famous instances the place attackers patched Log4j after compromise to evade detection. It’s very attainable for a safety staff to overlook detecting another person performing a patch. Until groups correlate patch timestamps with approved change tickets and hunt for negative effects, they’ll wrongly assume remediation was inside and full.
Mayuresh Dani, Safety Analysis Supervisor, at Qualys Menace Analysis Unit:
Most legacy vulnerability scanners and patch administration methods give attention to whether or not a vulnerability is patched, not who patched it. In such conditions, the safety groups typically would not discover instantly and incorrectly assume they’re protected, lacking that the patching occurred by way of compromise. Nonetheless, trendy vulnerability administration options now additionally embrace patch administration workflows and ticketing methods inbuilt. There positively might be pointers in these methods as a vulnerability was found and assigned to somebody within the safety staff for managing the chance and earlier than the particular person obtained to mitigating it, the vulnerability now says patched. This lacking patch attribution may also help establish affected methods.
Ms. Nivedita Murthy, Senior Employees Advisor at Black Duck:
Patching a weak software program after benefiting from its vulnerability is unquestionably a brand new tactic to keep away from detection. Nonetheless, this factors to a a lot better downside of attackers with the ability to set up software program with none further permission. This vulnerability ought to have been detected by the IT Staff particularly on the server. The attackers gained root entry and that ought to have been flagged by any server monitoring device. This incident highlights the necessity for stricter controls on working environments and deeper detection mechanisms to establish modifications that weren’t permitted.
