Cybersecurity scientists are warning of a “notable improve” in risk actor activity actively exploiting a now-patched flaw in Apache ActiveMQ to deliver the Godzilla web shell on compromised hosts.
“The web shells are concealed within an mysterious binary format and are created to evade security and signature-centered scanners,” Trustwave mentioned. “Notably, irrespective of the binary’s unfamiliar file structure, ActiveMQ’s JSP engine continues to compile and execute the web shell.”
CVE-2023-46604 (CVSS score: 10.) refers to a severe vulnerability in Apache ActiveMQ that allows distant code execution. Due to the fact its general public disclosure in late Oct 2023, it has occur under energetic exploitation by various adversaries to deploy ransomware, rootkits, cryptocurrency miners, and DDoS botnets.
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
In the most recent intrusion set noticed by Trustwave, inclined occasions have been targeted by JSP-primarily based web shells that are planted in just the “admin” folder of the ActiveMQ set up listing.
The web shell, named Godzilla, is a features-prosperous backdoor capable of parsing inbound HTTP Put up requests, executing the written content, and returning the success in the type of an HTTP reaction.
“What makes these destructive information especially noteworthy is how the JSP code seems to be concealed within just an unfamiliar kind of binary,” security researcher Rodel Mendrez explained. “This system has the prospective to circumvent security steps, evading detection by security endpoints all through scanning.”
A closer assessment of the attack chain shows that the web shell code is converted into Java code prior to its execution by the Jetty Servlet Engine.
The JSP payload in the long run lets the threat actor to join to the web shell by means of the Godzilla administration consumer interface and get total command above the focus on host, facilitating the execution of arbitrary shell commands, viewing network information, and managing file management functions.
Consumers of Apache ActiveMQ are really advised to update to the most current edition as before long as probable to mitigate prospective threats.
Observed this report attention-grabbing? Abide by us on Twitter and LinkedIn to study extra distinctive information we post.
Some elements of this short article are sourced from:
thehackernews.com