January 21, 2024 at 11:03PM
Cybersecurity researchers have observed an increase in threat actor activity exploiting a vulnerability in Apache ActiveMQ by delivering the Godzilla web shell. The web shells are concealed within an unknown binary format to evade security measures. This vulnerability has been actively exploited to deploy ransomware, rootkits, cryptocurrency miners, and DDoS botnets. It’s crucial for Apache ActiveMQ users to update to the latest version promptly.
Based on the meeting notes, here are the key takeaways:
– There is a notable increase in threat actor activity exploiting a now-patched flaw in Apache ActiveMQ to deliver the Godzilla web shell on compromised hosts.
– The web shells are concealed within an unknown binary format to evade security and signature-based scanners.
– CVE-2023-46604 refers to a severe vulnerability in Apache ActiveMQ enabling remote code execution and has been actively exploited by multiple adversaries to deploy ransomware, rootkits, cryptocurrency miners, and DDoS botnets.
– Susceptible instances have been targeted by JSP-based web shells planted within the “admin” folder of the ActiveMQ installation directory, with the web shell named Godzilla, capable of parsing inbound HTTP POST requests.
– The JSP code appears to be concealed within an unknown type of binary, potentially evading security measures and detection during scanning.
– The web shell code is converted into Java code prior to its execution by the Jetty Servlet Engine, allowing threat actors to gain complete control over the target host.
– Users of Apache ActiveMQ are highly recommended to update to the latest version as soon as possible to mitigate potential threats.
Let me know if you need any further details or analysis based on these notes.