CVE-2023-46604 bug in Apache ActiveMQ exploited by threat actors poses severe cybersecurity risks, evading detection during scanning.

Recently, there has been a significant rise in cyberattacks exploiting a critical vulnerability in Apache ActiveMQ, according to cybersecurity researchers. This flaw, known as CVE-2023-46604, has been patched, but threat actors are still taking advantage of it to distribute the notorious Godzilla web shell onto compromised systems. The web shell is hidden within an unidentified binary format, making it difficult to detect using traditional security measures and scanners. As a result, attackers can gain unauthorized access and control over vulnerable hosts, posing a serious threat.

Apache ActiveMQ and the CVE-2023-46604:

Apache ActiveMQ is an open-source message broker developed by the Apache Software Foundation, serving as a message-oriented middleware platform. It enables asynchronous communication and data exchange between different applications. However, the discovery of CVE-2023-46604 has exposed a severe remote code execution vulnerability in ActiveMQ. This vulnerability allows threat actors with network access to execute arbitrary shell commands by manipulating serialized class types in the OpenWire protocol’s deserialization process.

Attack Chain and Exploitation:

Security researchers, including those from Trustwave and Rapid7, have noticed a significant increase in cyberattacks targeting this vulnerability. In these attacks, threat actors deploy a web shell that incorporates code from the open-source Godzilla web shell, known for its versatile capabilities. By concealing the web shell within an unknown binary format, attackers can effectively bypass security measures and scanners that rely on signatures.

The Complex Attack Process:

The attack strategy involves placing malicious files, often JavaServer Page (JSP) files, in the “admin” folder within the ActiveMQ installation directory. This folder, which contains server scripts for the ActiveMQ administrative and web management console, becomes a primary target for attackers. Interestingly, the Jetty JSP engine, integrated into ActiveMQ as the web server, parses, compiles, and executes the embedded Java code enclosed in the unknown binary. This sophisticated technique of concealing code within an unknown binary proves effective in circumventing security measures, successfully avoiding detection during scanning processes.

Godzilla Web Shell: A Stealthy Menace

Once deployed, the Godzilla web shell provides threat actors with a wide range of capabilities. These include the ability to view network details, conduct port scans, and execute advanced commands such as Mimikatz and Meterpreter. Additionally, attackers can remotely manage SQL databases, inject shellcode into processes, and handle file management tasks.

The sophistication of this web shell is further highlighted by its ability to connect through the Godzilla management user interface. This grants threat actors complete control over the compromised system, enabling them to execute arbitrary shell commands, access sensitive network information, and carry out various malicious activities without detection.

Mitigation Recommendations:

To mitigate the potential threats associated with this active exploitation, users of Apache ActiveMQ are strongly advised to promptly update to the latest versions (5.15.16, 5.16.7, 5.17.6, or 5.18.3). This critical step is essential in safeguarding systems against the escalating risk posed by threat actors leveraging the CVE-2023-46604 vulnerability.

In conclusion, the recent surge in Godzilla web shell attacks exploiting Apache ActiveMQ vulnerabilities emphasizes the importance of timely software updates and a proactive approach to cybersecurity. As threat actors continue to exploit known vulnerabilities, organizations must remain vigilant and prioritize the implementation of security patches to strengthen their digital defenses.