Critical Apache ActiveMQ Vulnerability Actively Exploited to Deploy Malware
A severe security flaw in Apache ActiveMQ is being actively exploited in the wild, allowing threat actors to deploy a sophisticated malware loader known as DripDropper. This vulnerability, tracked as CVE-2023-46604, is a Remote Code Execution (RCE) flaw that affects multiple versions of the popular open-source messaging server. Due to its ease of exploitation and the widespread use of ActiveMQ, immediate action is required to prevent system compromise.
The vulnerability carries a critical severity rating, enabling unauthenticated attackers to execute arbitrary code on a target server. This essentially gives them a key to the front door, allowing them to take full control of the affected system without needing any user credentials.
What is DripDropper?
The primary payload being delivered through this exploit is a malware dropper named DripDropper. A “dropper” is a type of malicious program designed to install other, more harmful malware onto a compromised system. DripDropper is particularly dangerous due to its stealth and its ability to disable security measures before deploying its final payload.
Once executed on a vulnerable server, DripDropper performs several malicious actions:
- Disables Security Software: It attempts to shut down and cripple security tools, most notably Microsoft Defender, to operate undetected.
- Downloads Additional Malware: It connects to a remote server to download and execute subsequent malicious payloads.
- Establishes Persistence: The malware ensures it can survive a system reboot, maintaining long-term access for the attackers.
Security researchers have observed DripDropper being used to install various threats, including cryptocurrency miners and remote access trojans like Cobalt Strike, which are frequently used as a foothold for deploying ransomware.
The Attack Chain: From Vulnerability to Payload
The attack is straightforward and highly effective, making it a significant threat to any organization running a vulnerable version of Apache ActiveMQ.
- Scanning and Discovery: Attackers continuously scan the internet for public-facing Apache ActiveMQ servers.
- Exploitation: Once a vulnerable server is identified, the attacker exploits CVE-2023-46604 to gain initial access and execute commands.
- Malware Delivery: The initial command downloads the DripDropper malware from a malicious repository.
- Evasion and Deployment: DripDropper runs, disables security protections, and then downloads the final malicious payload, which could be anything from information stealers to ransomware.
This entire process is automated and can occur within minutes of a vulnerable server being discovered, leaving IT and security teams with very little time to react.
Urgent Security Recommendations: How to Protect Your Systems
Given the active exploitation of this vulnerability, administrators must take immediate steps to secure their environments. Simply having a firewall is not enough if the service is exposed to the internet.
1. Patch Immediately
This is the most critical step. The Apache Software Foundation has released patched versions that resolve CVE-2023-46604. You must upgrade to one of the following secure versions as soon as possible:
- ActiveMQ 5.15.16
- ActiveMQ 5.16.7
- ActiveMQ 5.17.6
- ActiveMQ 5.18.3
Delaying this update leaves your systems exposed to a known and active threat.
2. Restrict Network Access
Source: https://securityaffairs.com/181356/malware/hackers-deploy-dripdropper-via-apache-activemq-flaw-patch-systems-to-evade-detection.html
