Godzilla Web Shell Attacks Stomp on Critical Apache ActiveMQ Flaw

Threat actors have unleashed a fresh wave of cyberattacks targeting a critical remote code-execution (RCE) vulnerability in Apache ActiveMQ, for which the Apache Software Foundation (ASF) issued a patch back in October.

In many of the attacks, the adversary has been dropping a payload based on Godzilla, a known Web shell that enables them to squash compromised systems and gain complete control.

The ActiveMQ vulnerability, tracked as CVE-2023-46604, carries a max-severity score of 10 out of 10 on the CVSS 3.0 scale, and affects multiple versions of the widely used open source message broker technology (including Apache ActiveMQ versions before 5.18.3; 5.17.6. and ActiveMQ Legacy OpenWire Module before 5.18.3 and before 5.17.6).

3,400+ Vulnerable ActiveMQ Servers Open to Cyberattack

Researchers from Trustwave SpiderLabs spotted the activity recently and described the threat actors as using an unknown binary to obfuscate the Godzilla Web shell to try and evade signature-based scanners and other security controls.

Once deployed on a vulnerable ActiveMQ server, the threat actor can use Godzilla to conduct port scans, enumerate the network, execute Mimikatz, use Meterpreter and shell commands, inject shell code into processes, and carry out other malicious activity.

According to Trustwave, there has been a "notable increase" in attacks targeting the flaw in recent weeks. In one of the attacks that Trustwave researchers analyzed, the threat actor planted a malicious JavaServer Page (JSP) file in the "admin" folder of the ActiveMQ installation file. The security vendor's analysis of the file showed it to be a Web shell based on Godzilla code.

"What makes these malicious files particularly noteworthy is how the JSP code appears to be concealed within an unknown type of binary," according to Trustwave's analysis. "This method has the potential to circumvent security measures, evading detection by security endpoints during scanning."

The security vendor has published indicators of compromise (IoCs) for the new attack activity, and a Yara rule for detecting the Godzilla Web shell on compromised systems.

There are currently more than 3,400 ActiveMQ servers with the vulnerability that are accessible from the Internet, according to data from Internet-monitoring organization ShadowServer. That is almost the same number of systems that ShadowServer reported as being vulnerable in November as well, suggesting a serious patching lag. Some 1,600 of the vulnerable servers are located in Asia, and 750 in the US.

"Whenever there is widely used software and public exploits, you'll find exploitation," says Rodel Mendrez, principal researcher at Trustwave. "We often see vulnerabilities that take up to a year to patch, so the attack surface decreases slowly," he says.

Trustwave has not been able to attribute the threat actors behind the fresh wave of attacks. "However, it is worth noting that Godzilla Web shells were previously used by Threat Group 3390 (Emissary Panda) and Dalbit (m00nlight), both Chinese APT groups," Mendrez notes. He identifies the attacks as being likely opportunistic in nature, rather than targeted.

Insecure Deserialization Security Bug

ASF has identified the bug as stemming from insecure deserialization, which basically refers to an application deserializing data — such as API requests, file uploads, and user inputs — without first verifying if the data has been manipulated or can be trusted. The bug allows an attacker with access to a Java-based OpenWire broker or client to execute arbitrary shell commands by sending manipulated objects to an affected server.

Exploit code and full technical details of the bug have been publicly available since early November and threat actors have already exploited the flaw to install cryptomining tools, rootkits, and remote access Trojans. In November, researchers at Rapid7 reported observing a threat actor exploiting CVE-2023-46604 to drop HelloKity ransomware on vulnerable systems. The security vendor at the time described the attacks as somewhat amateurish based on the number of attempts it took for the threat actor to encrypt data on a compromised system.

"The activity was limited to a few days," says Caitlin Condon, director of vulnerability research and intelligence at Rapid7, adding that the company hasn't observed any recent activity targeting the ActiveMQ flaw. "Based on the activity we saw in that incident, it's entirely possible that it was a lone-wolf attacker who got hold of leaked code and tried to make a quick buck. Notably, we were analyzing the malware and the artifacts, not attributing the human adversary."