Security researchers have confirmed that a recent wave of cyberattacks is exploiting a critical vulnerability in Apache ActiveMQ, allowing attackers to compromise Linux servers and install long-term persistence tools. The attackers are not only gaining access through a known remote code execution flaw but are also patching the vulnerability afterward to cover their tracks.

The exploit centers around CVE-2023-46604, a serious vulnerability disclosed last October. While a fix has been available for months, attackers are targeting systems that remain unpatched, particularly in cloud-hosted environments.

How the Attack Works

Once inside, the attackers deploy a stealthy malware loader named DripDropper. It is a password-protected PyInstaller executable designed to avoid detection. The loader reaches out to a Dropbox account controlled by the threat actor, which serves as a command and control channel.

This communication method allows the malware to blend in with regular traffic, making it harder for defenders to spot. In some cases, the attackers also install “Sliver implants: and use “Cloudflare Tunnels” to maintain long-term access. After gaining a foothold, they apply the official security patch to the exploited ActiveMQ instance, effectively locking out other attackers and making the original compromise more difficult to detect during post-incident review.

This behavior is unusual. Most attackers do not patch the vulnerabilities they exploit. In this case, the patch serves a defensive function, helping the attacker remain hidden and ensuring no other group can use the same entry point.

The use of legitimate cloud services like Dropbox for command and control also raises the bar for detection. These services are often trusted by default in many corporate networks.

For organizations running ActiveMQ, this incident is a strong reminder to validate that the patch for CVE-2023-46604 has not only been applied but also reviewed for integrity. If attackers are installing the patch themselves, it becomes harder to distinguish a secured system from a compromised one.

Closing Reflection

This breach demonstrates that attackers are not just exploiting missed patches—they are manipulating the patching process itself. The steps taken after initial access are not random. They are designed to preserve control, avoid detection, and stay in place for as long as possible.

Security teams should not assume that patched means safe. In this case, it may mean someone else got there first.

The post Apache ActiveMQ Breach Reveals Unusual Attacker Behavior appeared first on Centraleyes.

*** This is a Security Bloggers Network syndicated blog from Centraleyes authored by Rebecca Kappel. Read the original post at: https://www.centraleyes.com/apache-activemq-breach/