Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Threat actors exploit Apache ActiveMQ flaw to deliver the Godzilla Web Shell

Researchers warn of a spike in attacks exploiting a now-patched flaw in Apache ActiveMQ to deliver the Godzilla web shell. Trustwave researchers observed a surge in attacks exploiting a now-patched flaw in Apache ActiveMQ, in many cases aimed at delivering a malicious code that borrows the code from the open-source web shell Godzilla. Threat actors conceal […]

Apache ActiveMQ Godzilla web shell

Researchers warn of a spike in attacks exploiting a now-patched flaw in Apache ActiveMQ to deliver the Godzilla web shell.

Trustwave researchers observed a surge in attacks exploiting a now-patched flaw in Apache ActiveMQ, in many cases aimed at delivering a malicious code that borrows the code from the open-source web shell Godzilla.

Threat actors conceal the web shell within an unknown binary format evading security and signature-based scanners. Once deployed, the ActiveMQ’s JSP engine compiles and executes the web shell.

In November 2023, researchers at Rapid7 reported the suspected exploitation of the recently disclosed critical vulnerability CVE-2023-46604 in the Apache ActiveMQ.

Apache ActiveMQ is an open-source message broker software that serves as a message-oriented middleware (MOM) platform. It is developed by the Apache Software Foundation and written in Java. ActiveMQ provides messaging and communication capabilities to various applications, making it easier for them to exchange data and communicate asynchronously.

Rapid7 identified exploitation attempts of the CVE-2023-46604 flaw to deploy HelloKitty ransomware in two different customer environments.

CVE-2023-46604 (CVSS score: 10.0) is a remote code execution vulnerability that impacts Apache ActiveMQ. A remote attacker with network access to a broker can exploit this flaw to run “arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.”

Apache addressed the flaw with the release of new versions of ActiveMQ on October 25, 2023. The researchers pointed out that the proof-of-concept exploit code and vulnerability details are both publicly available.

The vulnerability affects the following versions –

  • ActiveMQ 5.18.0 before 5.18.3
  • ActiveMQ 5.17.0 before 5.17.6
  • ActiveMQ 5.16.0 before 5.16.7
  • ActiveMQ before 5.15.16
  • ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3
  • ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6
  • ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7
  • ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16

In the attacks observed by Trustwave SpiderLabs, the malicious file was planted in the “admin” folder within the ActiveMQ installation directory. The folder contains the server scripts for the ActiveMQ administrative and web management console.

“Interestingly, the Jetty JSP engine which is the integrated web server in ActiveMQ, actually parsed, compiled and executed the embedded Java code that was encapsulated in the unknown binary.” reads the analysis published by Trustwave. “Further examination of the Java code generated by Jetty showed that the web shell code was converted into Java code and therefore was executed.”

Apache ActiveMQ Godzilla web shell

Once the web shell has been deployed, the threat actor can connect to it through the Godzilla management user interface and achieve complete control over the target system.

The Godzilla Web Shell supports multiple functionalities including:

  • Viewing network details
  • Conducting port scans
  • Executing Mimikatz commands
  • Running Meterpreter commands
  • Executing shell commands
  • Remotely managing SQL databases
  • Injecting shellcode into processes
  • Handling file management tasks

The report includes Indicators of Compromise (IoCs).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ActiveMQ)