Ankura CTIX FLASH Update - January 23, 2024

Ransomware/Malware Activity

Apache Active MQ Vulnerability Exploited to Deliver Godzilla Web Shell

Within the opening weeks of 2024, a resurgence in the exploitation of CVE-2023-46604, a now patched vulnerability for Apache ActiveMQ hosts that allows for remote code execution, has been witnessed. Discovered in October 2023, researchers have noticed an uptick in the vulnerability's usage of Java Server Pages (JSP)-based web shells that are placed into the ActiveMQ installation directory, specifically the "Admin" folder. This JSP code was identified to have come from Godzilla Web Shell, an open-source web shell. Godzilla is unique in that it utilizes an "unknown type of binary" to keep itself hidden from any scanners. Once installed, Godzilla can be used to connect to the web shell. This allows the threat actor to gain control of the infected system. This leads to a variety of capabilities that the threat actor can use to further acquire sensitive information and expand control throughout the network. These include port and network scanning abilities, executing, and running Mimikatz and Meterpreter commands, executing shell commands, and many others. This gives threat actors a high degree of versatility in their next actions once Godzilla is deployed onto a system. This campaign highlights once again the importance of keeping systems up to date, as this exploit has been patched for some time already. CTIX analysts will continue to monitor the development of Godzilla and any further exploitations regarding Apache ActiveMQ.

The Hacker News: Apache ActiveMQ Godzilla Web Shell Article
• Trust Wave: Apache ActiveMQ Godzilla Web Shell Article

Threat Actor Activity

Chinese Hackers Silently Exploiting VMware Zero-Day Flaw

An advanced Chinese cyber espionage group has been discovered exploiting a critical vulnerability in VMware vCenter Server (CVE-2023-34048) as a zero-day since late 2021. The Chinese hacking group, tracked as UNC3886, is linked to the exploitation of security flaws in VMware and Fortinet appliances in the past and has a history of utilizing zero-day vulnerabilities to avoid detection. The flaw was patched in October 2023, after it was reported that UNC3886 had used it in a previously reported campaign back in June 2023. The hackers exploited CVE-2023-34048 most recently to breach their targets' vCenter servers and gain privileged access to enumerate all ESXi hosts and their respective guest virtual machines attached to the system. After retrieving cleartext "vpxuser" credentials for the hosts and connecting to them, the threat actor then installed VIRTUALPITA and VIRTUALPIE malware, enabling a direct connection to the hosts. This paved the way for the next stage of the attack which exploited the VMware Tools authentication bypass flaw (CVE-2023-20867) to escalate privileges, execute arbitrary commands, harvest files, and exfiltrate them from guest VMs on a compromised ESXi host. In the past, UNC3886 took advantage of a path reversal flaw in Fortinet FortiOS software (CVE-2022-41328) that allowed them to deploy THINCRUST and CASTLETAP implants and exfiltrate sensitive data from remote servers. The Chinese attackers have a preference in targeting zero-day security flaws in firewall and virtualization technologies that lack Endpoint Detection and Response (EDR) capabilities to make it easier to persist within a target's environment. They are also known for their interest in the defense, government, telecom, and technology sectors of the United States and the APJ region. They have been known to conduct highly targeted attacks against government or government-related targets and have showcased a deep understanding of the underlying hardware of their target's environments, using advanced capabilities such as custom implants and in one case having the ability to reverse-engineer various parts of FortiOS. CTIX analysts recommend that administrators of VMware vCenter Server update to the latest version.

Bleeping Computer: VMware Article
• The Hacker News: VMware Article

Vulnerabilities

Older Versions of Atlassian Confluence Server Under Active Exploitation

Security researchers have observed active exploitation attempts of a critical vulnerability in certain outdated versions of Atlassian Confluence server. This flaw, tracked as CVE-2023-22527, is a template injection remote code execution vulnerability affecting versions released before December 5, 2023, and allows unauthenticated remote attackers to execute code on vulnerable Confluence Data Center and Server endpoints. Researchers have tracked over 39,000 exploitation attempts, primarily from Russian IP addresses, and identified more than 11,000 Confluence instances accessible online, though not all are vulnerable. Attackers have been observed using the 'whoami' command for reconnaissance. Atlassian has not provided specific indicators of compromise for CVE-2023-22527, advising administrators to update Confluence servers to post-December 5, 2023, versions and treat outdated instances as potentially compromised. CTIX analysts recommend that any administrators responsible for instances of Atlassian Confluence server ensure that they have upgraded to the most recent software version to prevent exploitation.

Bleeping Computer: CVE-2023-22527 Article
• Rapid7: CVE-2023-22527 Article

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.