CSC News Table of Contents
Openfire Vulnerability – Hackers Exploiting Openfire Flaw to Encrypt Servers: Hackers are taking advantage of a significant vulnerability in Openfire messaging servers, encrypting them with ransomware and deploying cryptocurrency miners.
Openfire, a widely used open-source chat (XMPP) server, has become the target of active exploitation, posing serious security risks to server operators.
This article delves into the vulnerability (CVE-2023-32315), the impact on Openfire servers, and the malicious activities of threat actors.
Key Takeaways:
- Openfire Vulnerability Exploited: A high-severity vulnerability (CVE-2023-32315) affecting Openfire messaging servers is actively exploited by hackers. This flaw allows attackers to bypass authentication and create unauthorized admin accounts, providing them with control over the server.
- Malicious Java Plugins Deployed: Attackers leverage the compromised admin accounts to install malicious Java plugins (JAR files) that execute commands through HTTP requests. This enables them to execute arbitrary code on the vulnerable servers.
- Widespread Impact: The vulnerability affects Openfire versions dating back to 2015, impacting a broad range of servers. Despite patches being available, a significant number of servers remain vulnerable, highlighting the urgency of applying security updates.
The Openfire Vulnerability (CVE-2023-32315)
A critical security flaw (CVE-2023-32315) in Openfire messaging servers has become an active target for cybercriminals. This vulnerability enables attackers to bypass authentication and create unauthorized admin accounts on vulnerable servers, granting them control over these systems.
Prolific Exploitation
Despite the availability of security patches, over 3,000 Openfire servers were still running vulnerable versions as of mid-August 2023. Dr. Web reports active exploitation of this flaw, with the first known case dating back to June 2023.
In this incident, the attackers leveraged the vulnerability to create a new admin user and subsequently installed a malicious JAR plugin that facilitated arbitrary code execution.
Cryptomining and Ransomware Campaigns
In addition to ransomware attacks on Openfire servers, crypto miners have also been deployed. Attackers exploit CVE-2023-32315 to create an admin account and install malicious plugins that fetch and install crypto-mining payloads. One such trojan is Kinsing, a Go-based crypto miner.
Another observed attack involves the installation of a C-based UPX-packed backdoor, further highlighting the versatility of this vulnerability for attackers.
Data Gathering and Multiple Attack Scenarios
Dr. Web’s analysis reveals that attackers use malicious Openfire plugins to gather information about compromised servers, including network connections, IP addresses, user data, and kernel versions.
This versatile vulnerability has led to four distinct attack scenarios, emphasizing the need for immediate security updates.
Ransomware Incidents
Several reports confirm ransomware attacks on Openfire servers, with files being encrypted and given the .locked1 extension. While the specific ransomware strain is unknown, ransom demands have been relatively small, ranging from .09 to .12 bitcoins ($2,300 to $3,500).
Protecting Against Exploitation
It is crucial to address this vulnerability promptly to safeguard Openfire servers. Threat actors do not exclusively target Openfire servers but any vulnerable web server.
Applying security updates as they become available is essential to mitigate the risk of exploitation.
Conclusion
The active exploitation of the Openfire vulnerability poses a severe threat to servers. This situation underscores the critical importance of timely patching and security updates to protect against ransomware, crypto miners, and unauthorized access.
Server operators should remain vigilant and take immediate action to secure their systems.
About Openfire: Openfire is a widely-used Java-based open-source chat (XMPP) server that plays a crucial role in secure and multi-platform chat communications. It has been downloaded over 9 million times and is relied upon for various communication needs.
