Malicious actors are actively taking advantage of a critical vulnerability in Openfire messaging servers, using it to encrypt server data with ransomware and deploy cryptocurrency miners.
Cybercriminals are currently exploiting a severe vulnerability in Openfire messaging servers, utilizing it to encrypt servers with ransomware and launch cryptocurrency mining operations.
The vulnerability, designated as CVE-2023-32315, constitutes an authentication bypass impacting the Openfire management console. This flaw empowers attackers to establish new administrator accounts on susceptible servers.
Through these accounts, perpetrators deploy malicious Java plug-ins (JAR files) capable of executing commands received via HTTP GET and POST requests.
This critical vulnerability impacts all Openfire versions from 3.10.0, which dates back to 2015, up to 4.6.7 and 4.7.0 to 4.7.4.
While Openfire addressed the issue with the release of versions 4.6.8, 4.7.5, and 4.8.0 in May 2023, as of mid-August 2023, VulnCheck reported that over 3,000 Openfire servers were still running vulnerable versions.
Dr. Web is currently detecting indications of ongoing exploitation, as threat actors have taken advantage of the attack surface for their malicious campaigns.
The initial instance of active exploitation, pinpointed by Dr. Web, traces back to June 2023. During this incident, the security firm conducted an investigation into a server ransomware attack, which occurred following the exploitation of CVE-2023-32315 to infiltrate the server.
In this attack, the perpetrators leveraged the vulnerability to establish a new administrator user in Openfire, gain access, and employ it for the installation of a malevolent JAR plugin capable of executing arbitrary code.
Dr. Web and its clients have encountered various malicious Java plugins, including “helloworld-openfire-plugin-assembly.jar,” “product.jar” in recent years, and “bookmarks-openfire-plugin-assembly.jar.”
After establishing an Openfire honeypot to capture the malware, Dr. Web uncovered additional trojans employed in these attacks.
One of these payloads is a Go-based cryptocurrency mining trojan known as Kinsing. Its operators exploit CVE-2023-32315 to create an administrator account named “OpenfireSupport” and subsequently install a malicious plugin named “plugin.jar.” This plugin is responsible for fetching the miner payload and deploying it on the compromised server.
In a separate incident, attackers introduced a UPX-compressed backdoor written in C, following a similar infection chain.
An unknown ransomware
BleepingComputer has received multiple reports from customers indicating that Openfire servers fell victim to ransomware attacks, resulting in file encryption with the “.locked1” extension.
Since 2022, a threat actor has been systematically encrypting publicly accessible web servers using ransomware, which appends the “.locked1” extension to the compromised files.
BleepingComputer has documented instances where Openfire servers were encrypted by this particular ransomware strain in June.
The identity of the ransomware responsible for these attacks remains uncertain, but the ransom demands tend to be relatively modest, ranging from 0.09 to 0.12 bitcoins (equivalent to $2,300 to $3,500).
The malicious actor appears to target not only Openfire servers but also any vulnerable web server. Consequently, it is crucial to regularly apply all available security updates to your servers to enhance their security posture.