This week, cybersecurity researchers are sounding the alarm regarding CVE-2023-46604, an Apache ActiveMQ. Although the vulnerability was patched in October 2023, threat actors are exploiting the flaw to deploy the Godzilla web shell on compromised hosts.
Trustwave reports that the web shells are hidden in an unidentified binary format, strategically crafted to bypass security measures and signature-based scanners. Despite the undisclosed file format of the binary, ActiveMQ's JSP engine continues with compiling and running the web shell.
CVE-2023-46604 now has a CVSS score of 10. Trustwave also reports that Vulnerable instances have fallen victim to JSP-based web shells inserted into the "admin" folder of the ActiveMQ installation directory. The Godzilla webshell has the capability to parse incoming HTTP POST requests, execute the content, and provide the results through an HTTP response. It is highly recommended that all users update to the latest version of Apache ActiveMQ as soon as possible.
overview
This week, researchers from Rapid7 have issued a warning regarding the suspected exploitation of a critical vulnerability, tracked as CVE-2023-46604, in Apache ActiveMQ. Apache ActiveMQ is an open-source message broker software, serving as a message-oriented middleware platform. It facilitates communication and data exchange between various applications.
Rapid7's investigation revealed that threat actors (HelloKitty) attempted to exploit CVE-2023-46604 to deploy HelloKitty ransomware in two separate customer environments. The ransomware deployment was observed in cases where organizations were running outdated versions of Apache ActiveMQ.
The vulnerability in question is a remote code execution flaw affecting Apache ActiveMQ, allowing remote attackers to execute arbitrary shell commands by manipulating serialized class types in the OpenWire protocol. Apache released updated versions of ActiveMQ to address this vulnerability. Impacted versions of Apache ActiveMQ include:
Since the disclosure of the vulnerability, a proof-of-concept (PoC) exploit code and technical details have become publicly available. The Shadowserver Foundation reported that as of October 30, approximately 7,249 Apache ActiveMQ instances were exposed to the internet, with around 3,329 of them vulnerable to the flaw. Organizations are strongly advised to update to fixed versions of Apache ActiveMQ as soon as possible.
INDICATORS OF COMPROMISE (IoCs)
Rapid7's security team looked into CVE-2023-46604 and examined the exploit code available to the public. During their testing, they found that the activemq.log file recorded a single line that confirmed the successful use of CVE-2023-46604. In this specific case, the individual responsible (in this instance, a researcher) operated from the IP address 192[.]168[.]86[.]35 and targeted TCP port 61616. It's important to note that the level of detail in the log entries can be different, depending on the logging settings, which can be adjusted as needed.
Rapid7 has also listed other IoCs found below:
Files dropped and executed via the msiexec command:
Hashes that are part of the two MSI packages downloaded from the domain 172[.]245[.]16[.]125:
SUPPORTING DOCUMENTATION
Suspected Exploitation of Apache ActiveMQ CVE-2023-46604 | Rapid7 Blog
Threat Actors Target Apache ActiveMQ Flaw | Decipher (duo.com)
[AMQ-9370] Openwire marshaller should validate Throwable class type - ASF JIRA (apache.org)
Apache ActiveMQ Flaw Exploited in New Godzilla Web Shell Attacks (thehackernews.com)
Apache ActiveMQ Vulnerability Leads to Stealthy Godzilla Webshell (trustwave.com)