Hacker “Patches” Own Vulnerability to Lock Out Rivals
▼ Summary
– A threat actor patched a vulnerability post-exploitation to lock out competitors and secure exclusive access to compromised systems.
– The attack targeted CVE-2023-46604, a critical Apache ActiveMQ flaw allowing remote code execution on Linux systems.
– Attackers used a previously unknown downloader called ‘DripDropper’ that communicates with an adversary-controlled Dropbox account for instructions.
– The threat actors established persistence through multiple methods, including modifying SSH configurations and altering user account login shells.
– Patching the vulnerability reduced detection risks from scanners and prevented other adversaries from exploiting the same entry point.
A concerning new trend in cybercrime has emerged where attackers patch the very vulnerabilities they exploit, effectively locking out rival hackers and securing long-term access to compromised systems. This tactic, observed by security researchers, represents a strategic shift in how threat actors maintain control over infected networks while evading detection.
Researchers at Red Canary recently identified this behavior in attacks targeting CVE-2023-46604, a critical remote code execution vulnerability in Apache ActiveMQ. Although publicly disclosed and patched by developers back in October 2023, this flaw continues to be widely exploited nearly two years later. Attackers are now taking the unusual step of applying legitimate software updates themselves after gaining initial access.
Once inside a system, the threat actors downloaded updated ActiveMQ JAR files and replaced the vulnerable versions. This action effectively closes the security hole to other malicious groups while allowing the original attackers to maintain their foothold through other established persistence methods. By patching the vulnerability, they not only eliminate competition but also reduce their risk of detection, since security tools often flag repeated exploitation attempts.
As noted in the August 19 report, this approach does not interfere with the attackers’ operations since they have already secured alternative access routes. The practice highlights how crowded the threat landscape has become, with multiple groups often targeting the same vulnerabilities simultaneously.
In the observed incidents, the initial breach was followed by the deployment of a previously unseen downloader named ‘DripDropper’ on cloud-based Linux endpoints. Command and control infrastructure varied across infections, with tools like Sliver and Cloudflare tunnels being used to maintain communication with compromised systems.
In one case, after installing the Sliver implant, the attackers modified the SSH daemon configuration to permit root login, granting them maximum system privileges. Under this new session, they executed DripDropper, an encrypted PyInstaller file that communicates with a Dropbox account controlled by the adversary using a hardcoded token.
This malicious downloader performs several actions, including process monitoring, fetching additional instructions from Dropbox, and altering user account shells to ensure continued access. Only after establishing these persistence mechanisms did the attackers apply the patch to CVE-2023-46604, further solidifying their exclusive control.
The targeting of SSH configurations in these attacks underscores the risks associated with poorly secured web servers in cloud environments. To defend against such threats, organizations are advised to apply patches promptly, monitor configuration changes, restrict root access, and implement robust network segmentation.
(Source: Info Security)
