Trustwave researchers observed a surge in attacks exploiting a now-patched flaw in Apache ActiveMQ, in many cases aimed at delivering a malicious code that borrows the code from the open-source web shell .
Threat actors conceal the web shell within an unknown binary format evading security and signature-based scanners. Once deployed, the ActiveMQ’s JSP engine compiles and executes the web shell.
In November 2023, researchers at Rapid7 reported the suspected exploitation of the recently disclosed critical vulnerability in the Apache ActiveMQ.
is an open-source message broker software that serves as a message-oriented middleware (MOM) platform. It is developed by the Apache Software Foundation and written in Java. ActiveMQ provides messaging and communication capabilities to various applications, making it easier for them to exchange data and communicate asynchronously.
Rapid7 identified exploitation attempts of the CVE-2023-46604 flaw to deploy HelloKitty ransomware in two different customer environments.
(CVSS score: 10.0) is a remote code execution vulnerability that impacts Apache ActiveMQ. A remote attacker with network access to a broker can exploit this flaw to run “arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.”
Apache addressed the flaw with the release of new versions of ActiveMQ . The researchers pointed out that the proof-of-concept and are both publicly available.
The vulnerability affects the following versions –
In the attacks observed by Trustwave SpiderLabs, the malicious file was planted in the “admin” folder within the ActiveMQ installation directory. The folder contains the server scripts for the ActiveMQ administrative and web management console.
“Interestingly, the Jetty JSP engine which is the integrated web server in ActiveMQ, actually parsed, compiled and executed the embedded Java code that was encapsulated in the unknown binary.” reads the published by Trustwave. “Further examination of the Java code generated by Jetty showed that the web shell code was converted into Java code and therefore was executed.”
Once the web shell has been deployed, the threat actor can connect to it through the management user interface and achieve complete control over the target system.
The Godzilla Web Shell supports multiple functionalities including:
The report includes Indicators of Compromise (IoCs).
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, ActiveMQ)