Cybersecurity company Red Canary detected an adversary exploiting a 2023 Apache vulnerability…and then patching it up.
But don’t think attackers are doing a good deed. The remediation allowed a kind of VIP access for the intruder.
“We assess the adversary likely did this to reduce detection via common methods, such as vulnerability scanners, and to effectively reduce the likelihood of being spotted by defenders,” the report read.
The Denver-based Red Canary, which did not respond to request for comment, shared details in its August 19 blog.
- Red Canary detected an adversary running discovery commands on “dozens of cloud-based Linux endpoints.” The target endpoints had a critical, unpatched remote code vulnerability (CVE-2023-46604) in Apache ActiveMQ, a popular, open-source message broker built on top of Java.
- By modifying files related to Secure Shell (SSH), a remote-access protocol widely used by admins, attackers gained access “with the highest level of privilege.” With SSH capabilities, the attacker deployed DripDropper malware. DripDropper, according to Red Canary, allowed the attacker to issue shell commands—system instructions, like the deleting and moving of files, which can be malicious in nature.
- Then, the intruder patched the already compromised system. “Patching the vulnerability does not disrupt their operations as they already established other persistence mechanisms for continued access,” the post read.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Attackers have been known to perform almost-benevolent security practices: crypto miners shutting down malicious processes (of competing cryptominers); botnets booting out malware (from outsiders); and a reported and likely China-nexus threat actor patching vulnerabilities (to prevent access by other attackers).
“It is like picking a lock to slip into your house, then replacing or repairing that lock once inside so no one else, including the other criminals or the homeowners, can use that same entry point,” Ensar Seker, VP of research and CISO at SaaS platform SOCRadar, told us. “If you’re only scanning for non- vulnerabilities and now the CVE is no longer present, you might miss this.”
Seker recommends using open-source security platforms like Osquery and Wazuh to detect low-level changes to the system files, binaries, and services, “including changes to the vulnerability component that was mysteriously fixed.”
Red Canary advised admins to investigate their important patches, and to confirm who actually did the remediation rather than just its execution.
“Defenders should patch first, preventing the exploit (and with that, the attacker patching),” SANS Technology Institute Dean of Research Johannes Ullrich wrote to us in an email. “The issue isn’t that the attacker is patching the system, but that the defender didn’t do it first.”