Cybersecurity experts have detected a surge in cyberattacks targeting vulnerabilities in Apache ActiveMQ hosts [4]. These attacks have revealed a stealthy web shell called the Godzilla Webshell [4], which is hidden within an unknown binary format [4] [8] [9]. The root of this threat is a critical vulnerability known as CVE-2023-46604 in Apache ActiveMQ software [4], allowing threat actors to execute arbitrary shell commands and potentially gain unauthorized access to systems [4].

Description

Trustwave researchers have observed a significant increase in attacks targeting this vulnerability, with over 3,400 vulnerable ActiveMQ servers accessible from the internet [3]. The latest intrusion set observed by Trustwave involves planting JSP-based web shells in the “admin” folder of the ActiveMQ installation directory [7]. The Godzilla web shell [1] [2] [3] [4] [5] [6] [7] [8] [9], a backdoor with extensive functionality, is utilized in these attacks. It can parse inbound HTTP POST requests [7], execute content [1] [7], and return results in an HTTP response [1] [7]. Suspicious JSP files containing the Godzilla web shell were discovered in the “admin” folder of a vulnerable ActiveMQ client.

The vulnerability in ActiveMQ stems from an unsafe deserialization practice within the OpenWire protocol, allowing remote attackers to execute arbitrary shell commands [4] [6]. This vulnerability has been actively exploited for various malicious purposes, including crypto mining, remote access trojans [2] [3] [5] [6], and ransomware [2] [5] [6].

To mitigate this vulnerability [2], users of Apache ActiveMQ are advised to update to the latest version [1] [7], which addresses the CVE-2023-46604 vulnerability and helps protect against unauthorized control over systems. The affected versions of Apache ActiveMQ include 5.18.0, 5.17.0 [2] [5], and 5.16.0 [2]. Apache has released new versions of ActiveMQ to address this flaw [8] [9]. The discovery of the Godzilla Webshell highlights the evolving threat landscape and the need for organizations to stay vigilant and employ advanced security measures [4].

Conclusion

The Godzilla Web Shell is a recent attack that targets Apache ActiveMQ by exploiting the CVE-2023-46604 vulnerability. This attack involves embedding JSP code within an unknown binary [5], which is then executed by the Java web server [2] [5] [6]. By using this method, the attack can bypass security measures and go undetected during scanning [5]. Once deployed [4] [5] [6] [8] [9], the Godzilla web shell provides threat actors with complete control over the targeted system [5] [8] [9]. It offers various malicious functionalities [2] [5] [6], including network viewing [2] [5], port scanning [5], executing commands [2] [5] [6], managing databases [2] [5], and injecting shellcode into processes [5]. This exploit has been actively exploited since its public disclosure in October 2023 [5], with attackers using it for crypto mining [5], remote access trojans [2] [3] [5] [6], and ransomware [2] [5] [6]. The affected versions of Apache ActiveMQ include 5.18.0 (before 5.18.3), 5.17.0 (before 5.17.6), 5.16.0 (before 5.16.7) [5], and versions before 5.15.16 [5].

This article provides a concise and coherent overview of the cyberattacks targeting vulnerabilities in Apache ActiveMQ hosts. It highlights the discovery of the Godzilla Webshell and the critical CVE-2023-46604 vulnerability. The text also emphasizes the need for users to update to the latest version of Apache ActiveMQ to mitigate the vulnerability and the importance of organizations staying vigilant and employing advanced security measures. The conclusion section emphasizes the impacts, mitigations, and future implications of the Godzilla Web Shell attack.

References

[1] https://meterpreter.org/alert-godzilla-web-shell-deploys-through-apache-activemq-flaw/
[2] https://www.jsplaces.com/cso-online/22/01/2024/patched-apache-activemq-bug-abused-to-drop-godzilla-web-shells/
[3] https://www.darkreading.com/threat-intelligence/godzilla-web-shell-attacks-stomp-critical-apache-activemq-flaw
[4] https://securityonline.info/a-stealthy-godzilla-webshell-a-new-threat-targeting-apache-activemq/
[5] https://flyytech.com/2024/01/22/patched-apache-activemq-bug-abused-to-drop-godzilla-web-shells/
[6] https://www.csoonline.com/article/1296463/patched-apache-activemq-bug-abused-to-drop-godzilla-web-shells.html
[7] https://thehackernews.com/2024/01/apache-activemq-flaw-exploited-in-new.html
[8] https://ciso2ciso.com/threat-actors-exploit-apache-activemq-flaw-to-deliver-the-godzilla-web-shell-source-securityaffairs-com/
[9] https://securityaffairs.com/157887/malware/apache-activemq-godzilla-web-shell.html