- Researchers reject the abuse of cybercriminals to access a Linux Cloud server
- The pirates then created the fault, closing the doors behind them
- There could be different reasons for repairing faults
A pirate has recently been spotted to correct someone’s vulnerable cloud instance – but he did not do so by the goodness of their hearts.
Red Canary safety researchers observed a threat actor abusing a maximum severity flaw, followed in the form of CVE-2023-46604, to enter a Linux Cloud system.
The vulnerability is found in Apache ActiveMq and grants persistent access, among others – but however, after having introduced the bug, they essentially locked the doors behind them.
Dripdropper
Red Canary argues that there are different reasons why a cybercrimiral could solve a problem after exploiting it, in particular to lock other opponents or hide their traces.
The latter has a lot of sense, in particular knowing that cybercriminals often fight for control over various compromised evaluation criteria.
In addition to correcting the fault, the pirates have done a number of things, in particular the installation of the Sliver implant, which granted them unlimited access to the system.
They also changed the existing SSHD configuration file to activate the Root connection, and after that, a previously unknown downloader that Red Canary called “Dripdropper”.
The downloader himself is rather advanced, requiring a password to execute, which hinders the Sandbox analysis.
He communicates with the threat actors via a dropbox account that has hard coded carriers, and since Dropbox and similar platforms (telegram or discord) are not malicious by nature, traffic is married and is more difficult to spot. Finally, Dripdropper is most likely used to deploy two distinct malicious pieces.
Red Canary says that vulnerable web servers are one of the most common initial access vectors to Linux systems.
“Given the prevalence of NIX or UNIX type systems in modern infrastructure, especially in rapid expansion cloud environments, ensuring that they are protected, researchers said researchers.
“This requires the development of response strategies to specialized incidents adapted to the complexities of cloud architectures and Linux environments and guarantee that defenders are equipped with effective and usable advice to protect these critical assets.”
