Executive summary
Threat actors are actively abusing CVE-2023-46604, a critical RCE in Apache ActiveMQ, to compromise cloud-hosted Linux infrastructure. Recent investigations show intruders using the bug for initial access, then installing persistence (SSH & cron changes), deploying C2 tooling (e.g., Sliver, Cloudflare Tunnels), and even patching ActiveMQ post-breach to hide their tracks and lock out rivals. Red CanaryThe Hacker News
The vulnerability (CVE-2023-46604): what it is and who’s affected
Root cause. The Java OpenWire protocol marshaller in ActiveMQ allows class type manipulation that can lead to arbitrary command execution (classic insecure deserialization/RCE). NVD
Affected lines & fixed versions.
-
ActiveMQ 5.18.0 < 5.18.3, 5.17.0 < 5.17.6, 5.16.0 < 5.16.7, and < 5.15.16; plus matching Legacy OpenWire Module versions.
-
Apache recommends upgrading brokers and any Java OpenWire clients to 5.15.16 / 5.16.7 / 5.17.6 / 5.18.3 (or later). ActiveMQ
Severity & exploitation history. NVD rates it critical; exploitation has been observed since late-2023 (e.g., HelloKitty ransomware, Kinsing). NVDBleepingComputerTrend Micro
How today’s cloud-Linux intrusions actually unfold
Recent telemetry from incident responders outlines a repeatable, cloud-oriented kill chain:
-
Initial access via CVE-2023-46604. Adversaries hit Internet-exposed brokers (often on OpenWire 61616) to execute shell commands as the broker process. Red Canary
-
C2 foothold & lateral options. Post-exploit, some hosts receive Sliver implants; others are routed behind Cloudflare Tunnels for stealthy C2. Red Canary
-
Privilege & access hardening for the attacker. Attackers alter
sshd_configto permit root login and tweak other SSH settings to guarantee durable access. Red Canary -
Custom malware: “DripDropper.” An encrypted PyInstaller ELF requiring a password is dropped; it talks to Dropbox via a hard-coded token and creates two files, one of which is scheduled for persistence. Red Canary
-
Persistence mechanism. Persistence is commonly set by editing
0anacroninside/etc/cron.*directories (hourly/daily/weekly/monthly). The Hacker News -
Self-patching to hide origin. Finally, the intruder downloads patched ActiveMQ JARs from Maven and replaces the vulnerable ones, so scanners stop flagging the broker—even though the host remains compromised. Red Canary
Why this matters: “self-patching” both obscures the initial access vector and prevents rival actors from exploiting the same bug on the same host. It’s increasingly seen in real-world intrusions. Dark Reading
Technical deep-dive: exploit path and cloud ramifications
A. Exploit mechanics (at a glance)
-
Target surface: Java OpenWire protocol endpoint (often
tcp://0.0.0.0:61616). -
Exploit effect: Attacker crafts OpenWire objects so the marshaller instantiates classes on the classpath, achieving arbitrary command execution via broker/client context. NVD
-
Why cloud is hit hard: Managed containers/VMs often expose brokers for microservice messaging; broad ingress rules and weak network segmentation amplify the blast radius.
B. What attackers change on Linux
-
/etc/ssh/sshd_config: setPermitRootLogin yesand related SSH hardening rollbacks. Red Canary -
/etc/cron.hourly|daily|weekly|monthly/0anacron: add loader execution for persistence. The Hacker News -
Dropbox C2 egress from the compromised host; Cloudflare Tunnels usage for covert management. Red Canary
C. Previously observed payloads with the same bug
HelloKitty ransomware, Kinsing cryptominers/rootkits, and other botnets/webshells have piggybacked on CVE-2023-46604 since disclosure. BleepingComputerTrend Micro
Detection & hunting playbook (MITRE ATT&CK mapping)
Initial Access (T1190):
-
Look for inbound connections to 61616/TCP from the Internet; unexpected OpenWire handshakes to ActiveMQ pods/VMs.
Execution (T1059 / T1106):
-
Broker-spawned shells or commands (e.g.,
javaparent ofbash,sh,curl,wget).
Persistence (T1053):
-
Cron anomalies: files named
0anacronmodified recently across/etc/cron.*.
Privilege/Defense Evasion (T1112/T1548):
-
Diff
/etc/ssh/sshd_configfor unexpectedPermitRootLogin yes,PasswordAuthentication yes, shell changes for low-privilege users (e.g.,games). Red Canary
C2 (T1090/T1105):
-
Egress to Dropbox APIs from servers; processes establishing cloudflared/Cloudflare Tunnel sessions. Red Canary
Validation (Vuln closed but host still dirty):
-
If ActiveMQ suddenly appears patched without a ticket, treat as incident—attackers are known to patch post-breach. Red Canary
Incident response workflow (cloud-first)
-
Contain
-
Isolate the broker VM/pod; block egress to Dropbox and deny outbound Cloudflare Tunnel processes at the VPC/NSG/SG level. Red Canary
-
-
Verify & patch the right way
-
Replace broker/client with fixed versions (≥ 5.15.16/5.16.7/5.17.6/5.18.3), then redeploy from a trusted image; don’t “hot-swap” JARs. ActiveMQ
-
-
Eradicate persistence
-
Restore hardened
sshd_config(PermitRootLogin no, key-only auth), remove cron persistence, rotate SSH keys/tokens, and invalidate any credentials found on the host. Red Canary
-
-
Threat hunt beyond the broker
-
Search for Sliver beacons, cloudflared processes/services, and lateral movement into app/database nodes. Red Canary
-
-
Review change logs
-
Investigate who patched ActiveMQ and when; unexpected JAR replacements from repo1.maven.org post-incident are a red flag. Red Canary
-
Hardening checklist for ActiveMQ in the cloud
-
Reduce exposure: Bind OpenWire to localhost or private subnets; front with a VPN/mTLS/reverse proxy; restrict SG/NSG rules to trusted CIDRs only. (Apache guidance: upgrade brokers/clients promptly.) ActiveMQ
-
Broker hygiene: Run as non-root, separate user/group; minimal plugins on classpath.
-
Patch cadence: Track CVE-2023-46604 and future advisories; keep both broker and any Java OpenWire clients updated. ActiveMQ
-
Logging/telemetry: Centralize auth logs, process creation, network flows; alert on SSH root login attempts and cron file changes.
-
Secrets & SDLC: Remove static secrets from
activemq.xml; rotate creds after incidents. -
Cloud controls:
-
AWS: Restrictive Security Groups, VPC endpoints for broker access, GuardDuty alerts for unusual egress.
-
Azure: NSGs/ASGs for broker subnets, Defender for Cloud alerts on anomalous processes.
-
GCP: VPC firewall rules and SCC (Security Command Center) misconfiguration findings.
-
Quick commands & policy snippets
Check if OpenWire is exposed publicly
Harden SSH (example)
Remove cron persistence
Indicators & leads (to tailor to your environment)
-
Files/paths: unusual
0anacronedits; added binaries with random 8-char names under/tmp,/var/tmp, or service dirs. The Hacker NewsRed Canary -
Config changes:
PermitRootLogin yes, shell changes for low-priv users (e.g.,games:/bin/sh). Red Canary -
Network: outbound to Dropbox APIs; unexplained Cloudflare Tunnel sessions. Red Canary
Final take
Don’t assume “broker is patched” equals “host is clean.” For CVE-2023-46604, attackers are patching after compromise, while leaving backdoors and C2 running. Treat any unplanned patching or JAR replacement as IOCs. Prioritize upgrades, network scoping, and Linux persistence hunts across your cloud. Red Canary
References & further reading
-
Apache advisory & fixed versions for CVE-2023-46604. ActiveMQ
-
NVD analysis and RCE description. NVD
-
Red Canary’s DripDropper investigation (cloud-Linux focus). Red Canary
-
The Hacker News summary (persistence via
0anacron, self-patching). The Hacker News -
Prior exploitation: HelloKitty (BleepingComputer), Kinsing (Trend Micro). BleepingComputerTrend Micro
Author: CyberDudeBivash
Website: www.cyberdudebivash.com
#ApacheActiveMQ #CVE202346604 #LinuxSecurity #CloudSecurity #RCE #ThreatIntel #IncidentResponse #DevSecOps #CyberDudeBivash