- Researchers detect the cybercriminal abuse error to access a cloud Linux server
- The hackers then proceeded to patch the fault, closing the doors behind them
- There could be different reasons to fix failures
Recently, a hacker was seen patching the vulnerable instance of Linux in someone’s cloud, but they did not do it for the goodness of their heart.
Security researchers Red Canary observed a threat actor who abused a maximum gravity failure, tracked as CVE-2023-46604, to enter a Linux system in the cloud.
The vulnerability is found in Apache Activemq, and gives persistent access, among other things, but nevertheless, after entering, they stopped the error, essentially blocking the doors behind them.
Drip
Red Canary argues that there are different reasons why a cybercriminal could solve a problem after exploiting it, including the blockade of other adversaries or hiding their tracks.
The latter makes a lot of sense, especially knowing that cybercriminals often fight for control over different final points committed.
In addition to patching the defect, the computer pirates made a series of things, including the installation of the SLIVER implant, which gave them access without restrictions to the system.
They also modified the existing SSHD configuration file to enable the ROOT login, and after that it installed a previously unknown downloader that Red Canary called “Dripdropper.”
The downloader itself is quite advanced, which requires a password to execute, which makes Sandbox analysis difficult.
It communicates with threat actors through a Dropbox account that has encoded bearer tokens, and since Dropbox and similar platforms (Telegram or Discord) are not malicious by nature, traffic combines and is more difficult to detect. Finally, Dripdropper is probably used to implement two separate pieces of malware.
Red Canary says that vulnerable web servers are one of the most common initial access vectors for Linux systems.
“Given the prevalence of *NX or UNIX systems in modern infrastructure, particularly in rapid expansion cloud environments, ensure that they are protected is essential,” the researchers said.
“This requires the development of specialized incident response strategies adapted to the complexities of cloud architectures and Linux environments and ensure that defenders are equipped with an effective and processable guide to safeguard these critical assets.”
