Cybersecurity researchers are warning of a “notable enhance” in menace actor exercise actively exploiting a now-patched flaw in Apache ActiveMQ to ship the Godzilla internet shell on compromised hosts.
“The online shells are hid inside an unknown binary format and are designed to evade safety and signature-based scanners,” Trustwave mentioned. “Notably, regardless of the binary’s unknown file format, ActiveMQ’s JSP engine continues to compile and execute the online shell.”
CVE-2023-46604 (CVSS rating: 10.0) refers to a extreme vulnerability in Apache ActiveMQ that allows distant code execution. Since its public disclosure in late October 2023, it has come underneath lively exploitation by a number of adversaries to deploy ransomware, rootkits, cryptocurrency miners, and DDoS botnets.
Within the newest intrusion set noticed by Trustwave, inclined cases have been focused by JSP-based internet shells which might be planted inside the “admin” folder of the ActiveMQ set up listing.
The online shell, named Godzilla, is a functionality-rich backdoor able to parsing inbound HTTP POST requests, executing the content material, and returning the leads to the type of an HTTP response.
“What makes these malicious recordsdata significantly noteworthy is how the JSP code seems to be hid inside an unknown kind of binary,” safety researcher Rodel Mendrez mentioned. “This methodology has the potential to bypass safety measures, evading detection by safety endpoints throughout scanning.”
A better examination of the assault chain reveals that the online shell code is transformed into Java code previous to its execution by the Jetty Servlet Engine.
The JSP payload in the end permits the menace actor to connect with the online shell by means of the Godzilla administration person interface and achieve full management over the goal host, facilitating the execution of arbitrary shell instructions, viewing community data, and dealing with file administration operations.
Customers of Apache ActiveMQ are extremely really helpful to replace to the newest model as quickly as potential to mitigate potential threats.
