Company Trustwave has warned about a significant increase in the activity of exploiting a vulnerability in Apache Activemq, which delivers the Godzilla web-wrapping to compromised hosts.
The web shells are concealed in an unknown binary format to evade security systems and scanners that rely on signatures. Notably, despite the unknown binary file format, the JSP Activemq mechanism still compiles and executes the web shell.
The vulnerability CVE-2023-46604 (CVSS: 9.8 rating) in Apache Activemq enables remote code execution (RCE). Since its public disclosure at the end of October 2023, cyber attackers have actively exploited this vulnerability to deploy malicious programs, routes, cryptocurrency miners, and DDoS bots.
In a recent wave of attacks thwarted by Trustwave, vulnerable instances were targeted on JSP (Java Server Pages)-based websites located in the Admin folder of the ActiveMQ installation directory. The web shell, known as Godzilla, is a versatile backdoor capable of analyzing incoming HTTP posts, carrying out commands, and returning results in the form of HTTP responses.
The malicious files are particularly noteworthy because the JSP code is embedded within an unknown binary file type. This method evades detection during scans and enables the code to be executed through the Jetty servlet mechanism (software components that enhance web server functionality) as Java code.
The payload of the JSP allows cybercriminals to connect to the web shell through the user interface of Godzilla, granting full control over the targeted host. This facilitates the execution of arbitrary shell commands, viewing network information, and conducting file management operations. Apache Activemq users are strongly advised to update to the latest version as soon as possible to minimize potential threats.