Cybersecurity researchers have noted a marked escalation in threat actor activity that is actively exploiting a now-fixed flaw in Apache ActiveMQ to deliver the Godzilla web shell onto compromised systems.
These web shells are hidden within an unfamiliar binary format and are engineered to slip past security and signature-based scanners, according to Trustwave. The security firm noted that despite the unknown file format of the binary, ActiveMQ's JSP engine continues to compile and execute the web shell.
The vulnerability, tagged as CVE-2023-46604 and carrying a CVSS score of 10.0, is a severe flaw in Apache ActiveMQ that allows for remote code execution. Since its public disclosure in late October 2023, it has been actively exploited by numerous adversaries to deploy ransomware, rootkits, cryptocurrency miners, and DDoS botnets.
In the most recent series of intrusions observed by Trustwave, vulnerable instances have been targeted by JSP-based web shells that are implanted within the 'admin' folder of the ActiveMQ installation directory. The Godzilla web shell is a feature-rich backdoor capable of parsing incoming HTTP POST requests, executing the content, and returning the results in the form of an HTTP response.
'What makes these malicious files particularly noteworthy is how the JSP code appears to be hidden within an unknown type of binary,' security researcher Rodel Mendrez said. 'This method has the potential to bypass security measures, evading detection by security endpoints during scanning.'
A detailed analysis of the attack chain reveals that the web shell code is converted into Java code before its execution by the Jetty Servlet Engine. The JSP payload ultimately allows the threat actor to connect to the web shell via the Godzilla management user interface and gain full control over the target host, enabling the execution of arbitrary shell commands, viewing network information, and managing file operations.
Apache ActiveMQ users are strongly advised to update to the latest version as soon as possible to counter potential threats.