OpenWire: Investigating Apache ActiveMQ RCE Using Wireshark

Investigating a Java deserialization vulnerability in Apache ActiveMQ that enables remote code execution through insecure class loading.

Scenario

During your shift as a tier-2 SOC analyst, you receive an escalation from a tier-1 analyst regarding a public-facing server. This server has been flagged for making outbound connections to multiple suspicious IPs. In response, you initiate the standard incident response protocol, which includes isolating the server from the network to prevent potential lateral movement or data exfiltration and obtaining a packet capture from the NSM utility for analysis. Your task is to analyze the pcap and assess for signs of malicious activity.

Questions

Open the pcap file in Wireshark.

Question 1: By identifying the C2 IP, we can block traffic to and from this IP, helping to contain the breach and prevent further data exfiltration or command execution. Can you provide the IP of the C2 server that communicated with our server?

Filtering with http protocol, we get 6 packets. Among them we see a particular IP Address 146.190.21.92. This is the C2 Server IP as it hosts the invoice.xml and this xml file may be involved in exploiting the Java deserialization vulnerability.

Question 2: Initial entry points are critical to trace the attack vector back. What is the port number of the service the adversary exploited?

Taking a little help from the hint, I searched for Openwire protocol with the C2 IP as the destination and found the port number that was exposed to the attacker.

Question 3: Following up on the previous question, what is the name of the service found to be vulnerable?

Checking the Packet Details pane we get the name of the service.

But the Question asks for the full service name, so a quick google search gives us the full name.

Question 4: The attacker’s infrastructure often involves multiple components. What is the IP of the second C2 server?

Other than the communication between the previous C2 IP with the client 134.209.197.3, we find another IP communication. That’s our answer.

Question 5: Attackers usually leave traces on the disk. What is the name of the reverse shell executable dropped on the server?

Using the second C2 IP, we see that the attacker dropped a reverse shell named docker.

If we follow the stream here, we see the reverse shell execution command.

Question 6: What Java class was invoked by the XML file to run the exploit?

When we follow the stream from the previous answers, we will find the Java class that was invoked by the invoice.xml file.

Question 7: To better understand the specific security flaw exploited, can you identify the CVE identifier associated with this vulnerability?

I just googled and found the answer.

Question 8: The vendor addressed the vulnerability by adding a validation step to ensure that only valid Throwable classes can be instantiated, preventing exploitation. In which Java class and method was this validation step added?

Conclusion

Considering the previous labs on wireshark and network forensics that I have done, this was quite easier. Nevertheless it was a good revision and practice of my wireshark skills. Hope you all enjoyed the lab. That’s all for today. Thank You!!!

Scroll to Top