January 22, 2024 at 06:09PM
A new wave of cyberattacks is targeting a critical remote code-execution vulnerability in Apache ActiveMQ, using the Godzilla Web shell to gain control. The vulnerability, CVE-2023-46604, affects multiple versions of ActiveMQ and allows for malicious port scanning, code injection, and other activities. Over 3,400 vulnerable servers have been identified, leading to concerns about patching delays.
From the provided meeting notes, the takeaways are as follows:
– A critical remote code-execution (RCE) vulnerability in Apache ActiveMQ, tracked as CVE-2023-46604, has been exploited by threat actors to launch cyberattacks. This vulnerability carries a maximum severity score of 10 out of 10 on the CVSS 3.0 scale and affects multiple versions of Apache ActiveMQ.
– The attacks involve the deployment of a web shell known as Godzilla, which enables threat actors to gain complete control over compromised systems. The adversaries have been utilizing an unknown binary to obfuscate the Godzilla web shell in an attempt to evade detection by security controls.
– Researchers from Trustwave SpiderLabs have observed a notable increase in attacks targeting the ActiveMQ vulnerability in recent weeks. They have published indicators of compromise (IoCs) for the new attack activity and a Yara rule for detecting the Godzilla web shell on compromised systems.
– Over 3,400 ActiveMQ servers with the vulnerability are currently accessible from the Internet, indicating a significant patching lag. The vulnerability is exploited for various malicious activities such as port scans, network enumeration, and execution of shell commands.
– The vulnerability is attributed to insecure deserialization, allowing threat actors to execute arbitrary shell commands by sending manipulated objects to an affected server. Exploit code and full technical details of the bug have been publicly available since early November.
– Malicious activity related to CVE-2023-46604 has been observed, including attempts to install cryptomining tools, rootkits, and remote access Trojans. Threat actors have also exploited the vulnerability to drop ransomware on vulnerable systems.
– The significance of the sudden spike in malicious activity targeting CVE-2023-46604 is being investigated, including whether the attacks are targeted or opportunistic in nature.
These takeaways reflect the key points from the meeting notes regarding the ActiveMQ vulnerability and the associated cyberattack activities.