Threat actors have unleashed a fresh wave of cyberattacks targeting a critical remote code-execution vulnerability in Apache ActiveMQ, for which the Apache Software Foundation issued a patch back in October.
In many of the attacks, the adversary has been dropping a payload based on Godzilla, a known Web shell that enables them to squash compromised systems and gain complete control.
The ActiveMQ vulnerability, tracked as CVE-2023-46604, carries a max-severity score of 10 out of 10 on the CVSS 3.0 scale, and affects multiple versions of the widely used open source message broker technology.
3,400+ Vulnerable ActiveMQ Servers Open to Cyberattack Researchers from Trustwave SpiderLabs spotted the activity recently and described the threat actors as using an unknown binary to obfuscate the Godzilla Web shell to try and evade signature-based scanners and other security controls.
Once deployed on a vulnerable ActiveMQ server, the threat actor can use Godzilla to conduct port scans, enumerate the network, execute Mimikatz, use Meterpreter and shell commands, inject shell code into processes, and carry out other malicious activity.
The security vendor's analysis of the file showed it to be a Web shell based on Godzilla code.
The security vendor has published indicators of compromise for the new attack activity, and a Yara rule for detecting the Godzilla Web shell on compromised systems.
There are currently more than 3,400 ActiveMQ servers with the vulnerability that are accessible from the Internet, according to data from Internet-monitoring organization ShadowServer.
That is almost the same number of systems that ShadowServer reported as being vulnerable in November as well, suggesting a serious patching lag.
Of the vulnerable servers are located in Asia, and 750 in the US. Insecure Deserialization Security Bug ASF has identified the bug as stemming from insecure deserialization, which basically refers to an application deserializing data - such as API requests, file uploads, and user inputs - without first verifying if the data has been manipulated or can be trusted.
The bug allows an attacker with access to a Java-based OpenWire broker or client to execute arbitrary shell commands by sending manipulated objects to an affected server.
Exploit code and full technical details of the bug have been publicly available since early November and threat actors have already exploited the flaw to install cryptomining tools, rootkits, and remote access Trojans.
In November, researchers at Rapid7 reported observing a threat actor exploiting CVE-2023-46604 to drop HelloKity ransomware on vulnerable systems.
The security vendor at the time described the attacks as somewhat amateurish based on the number of attempts it took for the threat actor to encrypt data on a compromised system.
Trustwave did not immediately respond to a Dark Reading request seeking information on what might account for the sudden spike in malicious activity directed at CVE-2023-46604 and whether the attacks appear targeted or opportunistic in nature.
This Cyber News was published on www.darkreading.com. Publication date: Mon, 22 Jan 2024 23:10:24 +0000