Pierluigi Paganini January 22, 2024

Researchers warn of a spike in attacks exploiting a now-patched flaw in Apache ActiveMQ to deliver the Godzilla web shell.

Trustwave researchers observed a surge in attacks exploiting a now-patched flaw in Apache ActiveMQ, in many cases aimed at delivering a malicious code that borrows the code from the open-source web shell Godzilla.

Threat actors conceal the web shell within an unknown binary format evading security and signature-based scanners. Once deployed, the ActiveMQ’s JSP engine compiles and executes the web shell.

In November 2023, researchers at Rapid7 reported the suspected exploitation of the recently disclosed critical vulnerability CVE-2023-46604 in the Apache ActiveMQ.

Apache ActiveMQ is an open-source message broker software that serves as a message-oriented middleware (MOM) platform. It is developed by the Apache Software Foundation and written in Java. ActiveMQ provides messaging and communication capabilities to various applications, making it easier for them to exchange data and communicate asynchronously.

Rapid7 identified exploitation attempts of the CVE-2023-46604 flaw to deploy HelloKitty ransomware in two different customer environments.

CVE-2023-46604 (CVSS score: 10.0) is a remote code execution vulnerability that impacts Apache ActiveMQ. A remote attacker with network access to a broker can exploit this flaw to run “arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.”

Apache addressed the flaw with the release of new versions of ActiveMQ on October 25, 2023. The researchers pointed out that the proof-of-concept exploit code and vulnerability details are both publicly available.

The vulnerability affects the following versions –

• ActiveMQ 5.18.0 before 5.18.3
• ActiveMQ 5.17.0 before 5.17.6
• ActiveMQ 5.16.0 before 5.16.7
• ActiveMQ before 5.15.16
• ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3
• ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6
• ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7
• ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16

In the attacks observed by Trustwave SpiderLabs, the malicious file was planted in the “admin” folder within the ActiveMQ installation directory. The folder contains the server scripts for the ActiveMQ administrative and web management console.

“Interestingly, the Jetty JSP engine which is the integrated web server in ActiveMQ, actually parsed, compiled and executed the embedded Java code that was encapsulated in the unknown binary.” reads the analysis published by Trustwave. “Further examination of the Java code generated by Jetty showed that the web shell code was converted into Java code and therefore was executed.”

Once the web shell has been deployed, the threat actor can connect to it through the Godzilla management user interface and achieve complete control over the target system.

The Godzilla Web Shell supports multiple functionalities including:

• Viewing network details
• Conducting port scans
• Executing Mimikatz commands
• Running Meterpreter commands
• Executing shell commands
• Remotely managing SQL databases
• Injecting shellcode into processes
• Handling file management tasks

The report includes Indicators of Compromise (IoCs).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ActiveMQ)