Godzilla Web Shell Attacks Stomp on Critical Apache ActiveMQ Flaw

  /     /     /  
Publicated : 23/11/2024   Category : security


Godzilla Web Shell Attacks Stomp on Critical Apache ActiveMQ Flaw


Thousands of vulnerable servers may be open to cyberattacks exploiting the max-severity CVE-2023-46604 bug.



Threat actors have unleashed a fresh wave of cyberattacks targeting a critical remote code-execution (RCE)
vulnerability in Apache ActiveMQ
, for which the Apache Software Foundation (ASF) issued a patch back in October.
In many of the attacks, the adversary has been dropping a payload based on Godzilla, a known Web shell that enables them to squash compromised systems and gain complete control.
The ActiveMQ vulnerability, tracked as
CVE-2023-46604,
carries a max-severity score of 10 out of 10 on the CVSS 3.0 scale, and affects multiple versions of the widely used open source message broker technology (including Apache ActiveMQ versions before 5.18.3; 5.17.6. and ActiveMQ Legacy OpenWire Module before 5.18.3 and before 5.17.6).
Researchers from Trustwave SpiderLabs
spotted the activity recently
and described the threat actors as using an unknown binary to obfuscate the
Godzilla Web shell
to try and evade signature-based scanners and other security controls.
Once deployed on a vulnerable ActiveMQ server, the threat actor can use Godzilla to conduct port scans, enumerate the network, execute Mimikatz, use Meterpreter and shell commands, inject shell code into processes, and carry out other malicious activity.
According to Trustwave, there has been a notable increase in attacks targeting the flaw in recent weeks. In one of the attacks that Trustwave researchers analyzed, the threat actor planted a malicious JavaServer Page (JSP) file in the admin folder of the ActiveMQ installation file. The security vendors analysis of the file showed it to be a Web shell based on Godzilla code.
What makes these malicious files particularly noteworthy is how the JSP code appears to be concealed within an unknown type of binary, according to Trustwaves analysis. This method has the potential to circumvent security measures, evading detection by security endpoints during scanning.
The security vendor has published indicators of compromise (IoCs) for the new attack activity, and a Yara rule for detecting the Godzilla Web shell on compromised systems.
There are currently more than 3,400 ActiveMQ servers with the vulnerability that are accessible from the Internet, according to data from Internet-monitoring organization ShadowServer. That is almost the same number of systems that ShadowServer reported as
being vulnerable in November
as well, suggesting a serious patching lag. Some 1,600 of the vulnerable servers are located in Asia, and 750 in the US.
Whenever there is widely used software and public exploits, youll find exploitation, says Rodel Mendrez, principal researcher at Trustwave. We often see vulnerabilities that take up to a year to patch, so the attack surface decreases slowly, he says.
Trustwave has not been able to attribute the threat actors behind the fresh wave of attacks. However, it is worth noting that Godzilla Web shells were previously used by Threat Group 3390 (Emissary Panda) and Dalbit (m00nlight), both Chinese APT groups, Mendrez notes. He identifies the attacks as being likely opportunistic in nature, rather than targeted.
ASF has identified the bug as stemming from
insecure deserialization
, which basically refers to an application deserializing data — such as API requests, file uploads, and user inputs — without first verifying if the data has been manipulated or can be trusted. The bug allows an attacker with access to a Java-based OpenWire broker or client to execute arbitrary shell commands by sending manipulated objects to an affected server.
Exploit code and full technical details of the bug have been publicly available since early November and threat actors have already exploited the flaw to install cryptomining tools, rootkits, and remote access Trojans. In November, researchers at Rapid7 reported observing a threat actor exploiting CVE-2023-46604 to
drop HelloKity ransomware
on vulnerable systems. The security vendor at the time described the attacks as somewhat amateurish based on the number of attempts it took for the threat actor to encrypt data on a compromised system.
The activity was limited to a few days, says Caitlin Condon, director of vulnerability research and intelligence at Rapid7, adding that the company hasnt observed any recent activity targeting the ActiveMQ flaw. Based on the activity we saw in that incident, its entirely possible that it was a lone-wolf attacker who got hold of leaked code and tried to make a quick buck. Notably, we were analyzing the malware and the artifacts, not attributing the human adversary.

Last News

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security

▸ Senate wants changes to cybercrime law. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Godzilla Web Shell Attacks Stomp on Critical Apache ActiveMQ Flaw