Threat actors exploited Apache ActiveMQ RCE CVE-2023-46604, established footholds with tools such as Sliver and Cloudflare Tunnels, then replaced vulnerable ActiveMQ JARs with fixed versions from the Apache Maven repository to close the exploited hole and prevent detection or rival access. The attackers enabled root SSH logins, deployed a password-gated PyInstaller ELF ("DripDropper") that communicates via Dropbox, and used cron-based persistence via 0anacron scripts. Adversary-applied patches can mislead defenders because patch management systems typically do not record who applied updates. Structured log reviews, forensic analysis, and anomaly detection are recommended. A similar tactic occurred during Citrix NetScaler CVE-2019-19781 with the NOTROBIN backdoor.
This relatively rare technique is utilized by persistent threat actors seeking to maintain exclusive access to compromised systems while avoiding detection. Unfortunately, Security engineers may mistakenly believe their environments are "secure" simply because they appear to have been patched - traditional patch management systems typically do not record who applied the patch. Adversary patching represents a sophisticated threat, especially in fast-moving, cloud-native environment and organizations should adopt a proactive approach of structured log reviews, forensic analysis, or anomaly detection.
An adversary exploited the 2023 ActiveMQ RCE (CVE 2023 46604), established footholds with tools like Sliver and Cloudflare Tunnels, then quietly replaced the vulnerable ActiveMQ JARs with fixed versions from the Apache Maven repo - closing the very hole they used so scanners and opportunistic rivals wouldn't trip the alarm. On top of that, they hardened access by enabling root logins over SSH and deploying a password gated PyInstaller ELF ("DripDropper") that talks to Dropbox.
Collection
[
|
...
]