Cybersecurity researchers are warning of a “notable increase” in threat actor activity actively exploiting a now-patched flaw in Apache ActiveMQ to deliver the Godzilla web shell on compromised hosts.
CVE-2023-46604 (CVSS score: 10.0) refers to a severe vulnerability in Apache ActiveMQ that enables remote code execution. Since its public disclosure in late October 2023, it has come under active exploitation by multiple adversaries to deploy ransomware, rootkits, cryptocurrency miners, and DDoS botnets.
The web shell, named Godzilla, is a functionality-rich backdoor capable of parsing inbound HTTP POST requests, executing the content, and returning the results in the form of an HTTP response.
“What makes these malicious files particularly noteworthy is how the JSP code appears to be concealed within an unknown type of binary,” security researcher Rodel Mendrez said. “This method has the potential to circumvent security measures, evading detection by security endpoints during scanning.”
A closer examination of the attack chain shows that the web shell code is converted into Java code prior to its execution by the Jetty Servlet Engine.
Users of Apache ActiveMQ are highly recommended to update to the latest version as soon as possible to mitigate potential threats.
Source: https://thehackernews.com/