Cybersecurity researchers are warning of a “notable increase” in threat actor activity actively exploiting a now-patched flaw in Apache ActiveMQ to deliver the Godzilla web shell on compromised hosts.
“The web shells are concealed within an unknown binary format and are designed to evade security and signature-based scanners,” Trustwave said. “Notably, despite the binary’s unknown file format, ActiveMQ’s JSP engine continues to compile and execute the web shell.”
CVE-2023-46604 (CVSS score: 10.0) refers to a severe vulnerability in Apache ActiveMQ that enables remote code execution. Since its public disclosure in late October 2023, it has come under active exploitation by multiple adversaries to deploy ransomware, rootkits, cryptocurrency miners, and DDoS botnets.