Jump to content
  • SeedTheNet
  • Vulnerability in Openfire messaging software allows unauthorized access to compromised servers - DrWeb report


    SeedTheNet

    Vulnerability in Openfire messaging software allows unauthorized access to compromised servers

    September 25, 2023

    Doctor Web is notifying users about the spread of malicious plugins for the Openfire messaging server. To date, more than 3,000 servers worldwide that have Openfire software installed on them have been affected by a vulnerability that lets hackers gain access to the file system and use the infected servers as part of a botnet.

    In June 2023, Doctor Web was contacted by a customer reporting an incident where attackers had been able to encrypt files on their server. The investigation revealed that the infection was implemented as part of the post-exploitation of the CVE-2023-32315 vulnerability in Openfire messaging software. This exploit performs a directory traversal attack and allows unauthorized access to the administrative interface of the Openfire software, which is used by attackers to create a new user with administrative privileges. The attackers then log in using the newly created account and install the malicious plugin helloworld-openfire-plugin-assembly.jar (SHA1:41d224784242151825aa8001a35ee339a0fef2813f), which can run arbitrary code. The plugin allows shell commands to be executed on a server that has Openfire software installed on it, as well as code, written in Java, to be launched and then transmitted to the plugin in a POST request. This is exactly how the encryption trojan was launched on our customer's server.

    To obtain a sample of this crypto malware, we created an Openfire honeypot and monitored the attacks against it for several weeks. During the time our server was running, we were able to obtain samples of three different malicious plugins. We also obtained samples of two trojans that were installed on our server after Openfire was compromised.

    The first trojan is a mining trojan, written in Go, that is known as kinsing (Linux.BtcMine.546). An attack using this trojan is carried out in four stages:

    1. exploitation of the CVE-2023-32315 vulnerability to create an administrative account named "OpenfireSupport".
    2. authentication under the created user.
    3. installation of the malicious plugin.jar (SHA1:0c6249feee3fef50fc0a5a06299c3e81681cc838) on the server.
    4. the download and launch of the trojan with the help of the installed malicious plugin.

    In another attack scenario, the system was infected with the Linux.BackDoor.Tsunami.1395 trojan, written in C and packed with UPX. The infection process is very similar to the previous one, except that an administrative user was created with a random name and password.

    The third scenario is the most interesting because instead of installing a trojan in the system, the attackers used a malicious Openfire plugin to obtain information about the compromised server. In particular, they were interested in information about the network connections, the IP address, users, and the system’s kernel version.

    The malicious plugins installed in all these cases are JSP.BackDoor.8 backdoors written in Java. These plugins can run a variety of commands in the form of GET and POST requests sent by attackers.

    The vulnerability in the Openfire messaging server in question has been fixed in the updates to versions 4.6.8 and 4.7.5. Doctor Web specialists recommend upgrading to the latest versions. If this is not possible, efforts should be made to minimize the attack surface: restrict network access to ports 9090 and 9091, modify the Openfire settings file, redirect the administrator console address to the loopback interface or use the AuthFilterSanitizer plugin.

    Dr.Web antivirus successfully detects and neutralizes modifications of the JSP.BackDoor.8 backdoor, as well as the Linux.BtcMine and Linux.BackDoor.Tsunami trojans, so they do not pose a threat to our users.

    Source : https://news.drweb.com/show/?i=14756&lng=enu


    User Feedback

    Recommended Comments

    My friend, I'm not able to post anything, nor create other topics here on the forum.
    Is the forum undergoing any maintenance?
    I don't think so because it's been a while since I've been able to post anything.

    Link to comment
    Share on other sites

    1 hour ago, New_Style_xd said:

    My friend, I'm not able to post anything, nor create other topics here on the forum.
    Is the forum undergoing any maintenance?
    I don't think so because it's been a while since I've been able to post anything.

    Hello my friend,

    I apologize for that , there was a mistake in the settings

    I fixed it , thank you.

    Link to comment
    Share on other sites

    On 9/28/2023 at 2:37 AM, SeedTheNet said:

    Hello my friend,

    I apologize for that , there was a mistake in the settings

    I fixed it , thank you.

    Thanks my friend, I'll take the test.

    Link to comment
    Share on other sites



    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

  • Member Statistics

    40
    Total Members
    60
    Most Online
    fluoxetine cost
    Newest Member
    fluoxetine cost
    Joined


×
×
  • Create New...

Important Information

Privacy Policy