Rise in Godzilla Web Shell Attacks Exploiting Apache ActiveMQ Vulnerability

January 22, 2024

Cybersecurity researchers have noted a marked escalation in threat actor activity that is actively exploiting a now-fixed flaw in Apache ActiveMQ to deliver the Godzilla web shell onto compromised systems.

These web shells are hidden within an unfamiliar binary format and are engineered to slip past security and signature-based scanners, according to Trustwave. The security firm noted that despite the unknown file format of the binary, ActiveMQ's JSP engine continues to compile and execute the web shell.

The vulnerability, tagged as CVE-2023-46604 and carrying a CVSS score of 10.0, is a severe flaw in Apache ActiveMQ that allows for remote code execution. Since its public disclosure in late October 2023, it has been actively exploited by numerous adversaries to deploy ransomware, rootkits, cryptocurrency miners, and DDoS botnets.

In the most recent series of intrusions observed by Trustwave, vulnerable instances have been targeted by JSP-based web shells that are implanted within the 'admin' folder of the ActiveMQ installation directory. The Godzilla web shell is a feature-rich backdoor capable of parsing incoming HTTP POST requests, executing the content, and returning the results in the form of an HTTP response.

'What makes these malicious files particularly noteworthy is how the JSP code appears to be hidden within an unknown type of binary,' security researcher Rodel Mendrez said. 'This method has the potential to bypass security measures, evading detection by security endpoints during scanning.'

A detailed analysis of the attack chain reveals that the web shell code is converted into Java code before its execution by the Jetty Servlet Engine. The JSP payload ultimately allows the threat actor to connect to the web shell via the Godzilla management user interface and gain full control over the target host, enabling the execution of arbitrary shell commands, viewing network information, and managing file operations.

Apache ActiveMQ users are strongly advised to update to the latest version as soon as possible to counter potential threats.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.