Alert: Apache ActiveMQ Flaw Exploited in Godzilla Web Shell Attacks (CVE-2023-46604)

Bar Refael

January 23, 2024

Vulnerability Summary:

  • Affected Software: Apache ActiveMQ
  • Vulnerability ID: CVE-2023-46604 (CVSS Score: 10.0)
  • Type of Vulnerability: Remote Code Execution (RCE)
  • Current Threat: Active exploitation by multiple adversaries

Details of the Threat:

Cybersecurity researchers have detected a significant surge in cybercriminal activities exploiting a critical vulnerability in Apache ActiveMQ. The flaw, identified as CVE-2023-46604, is being used to deploy the Godzilla web shell on compromised hosts. This severe RCE vulnerability, disclosed in late October 2023, has been a vector for various malicious activities, including ransomware, rootkits, cryptocurrency mining, and DDoS botnet deployment.

Characteristics of the Godzilla Web Shell:

  • Concealment: The web shells are hidden within an unknown binary format, making them hard to detect by conventional security and signature-based scanners.
  • Execution Mechanism: Despite the unusual file format, ActiveMQ’s JSP engine still compiles and executes the web shell.
  • Capabilities: The Godzilla web shell is a sophisticated backdoor, capable of parsing inbound HTTP POST requests, executing content, and sending responses via HTTP. It enables threat actors to perform a wide range of actions, such as executing shell commands, viewing network information, and managing files on the compromised host.

Attack Methodology:

  • The web shell code is planted within the “admin” folder of ActiveMQ’s installation directory.
  • It’s converted into Java code for execution by the Jetty Servlet Engine.
  • Attackers can connect to the compromised system using the Godzilla management user interface, gaining full control over the host.

Urgent Recommendations for Clients:

  • Update Immediately: Users of Apache ActiveMQ should update to the latest version without delay to prevent exploitation.
  • Enhanced Monitoring: Vigilantly monitor network traffic and system logs for any signs of compromise or unusual activity.
  • Security Review: Conduct a thorough security review of systems using Apache ActiveMQ, especially focusing on the admin folder and any unusual binary files.
  • Incident Response Plan: Ensure that your incident response plan is up-to-date and ready to be executed in the event of a breach.

Closing Note:

Given the severity and sophistication of this threat, it’s crucial for organizations using Apache ActiveMQ to take immediate and effective action to secure their systems. [Your Company’s Name] is dedicated to assisting our clients in responding to these cybersecurity challenges and ensuring the protection of their digital infrastructure

Stay safe and informed,

OP Innovate.

Under Cyber Attack?

Fill out the form and we will contact you immediately.

Under Cyber Attack?

Fill out the form and we will contact you immediately.