Cybersecurity researchers have identified a significant increase in threat actor activity exploiting a patched flaw in Apache ActiveMQ to deliver the Godzilla web shell. The web shells are hidden within an unknown binary format, making them difficult to detect and evade security measures. The vulnerability (CVE-2023-46604) allows for remote code execution and has been actively exploited by adversaries to deploy ransomware, rootkits, cryptocurrency miners, and DDoS botnets. In the latest intrusion set observed, JSP-based web shells named Godzilla are planted within the “admin” folder of the ActiveMQ installation directory. These web shells allow the threat actor to connect to the web shell and gain complete control over the compromised host. It is highly recommended for users of Apache ActiveMQ to update to the latest version to mitigate potential threats.
Source link