[ad_1]
September 25, 2023
In June 2023, Physician Net was contacted by a buyer reporting an incident the place attackers had been in a position to encrypt information on their server. The investigation revealed that the an infection was carried out as a part of the post-exploitation of the CVE-2023-32315 vulnerability in Openfire messaging software program. This exploit performs a listing traversal assault and permits unauthorized entry to the executive interface of the Openfire software program, which is utilized by attackers to create a brand new person with administrative privileges. The attackers then log in utilizing the newly created account and set up the malicious plugin helloworld-openfire-plugin-assembly.jar (SHA1:41d224784242151825aa8001a35ee339a0fef2813f), which may run arbitrary code. The plugin permits shell instructions to be executed on a server that has Openfire software program put in on it, in addition to code, written in Java, to be launched after which transmitted to the plugin in a POST request. That is precisely how the encryption trojan was launched on our buyer’s server.
To acquire a pattern of this crypto malware, we created an Openfire honeypot and monitored the assaults towards it for a number of weeks. In the course of the time our server was operating, we had been in a position to get hold of samples of three totally different malicious plugins. We additionally obtained samples of two trojans that had been put in on our server after Openfire was compromised.
The primary trojan is a mining trojan, written in Go, that is named kinsing (Linux.BtcMine.546). An assault utilizing this trojan is carried out in 4 phases:
- exploitation of the CVE-2023-32315 vulnerability to create an administrative account named “OpenfireSupport”.
- authentication beneath the created person.
- set up of the malicious plugin.jar (SHA1:0c6249feee3fef50fc0a5a06299c3e81681cc838) on the server.
- the obtain and launch of the trojan with the assistance of the put in malicious plugin.
In one other assault situation, the system was contaminated with the Linux.BackDoor.Tsunami.1395 trojan, written in C and filled with UPX. The an infection course of is similar to the earlier one, besides that an administrative person was created with a random title and password.
The third situation is probably the most fascinating as a result of as a substitute of putting in a trojan within the system, the attackers used a malicious Openfire plugin to acquire details about the compromised server. Specifically, they had been thinking about details about the community connections, the IP handle, customers, and the system’s kernel model.
The malicious plugins put in in all these circumstances are JSP.BackDoor.8 backdoors written in Java. These plugins can run quite a lot of instructions within the type of GET and POST requests despatched by attackers.
The vulnerability within the Openfire messaging server in query has been mounted within the updates to variations 4.6.8 and 4.7.5. Physician Net specialists advocate upgrading to the most recent variations. If this isn’t potential, efforts must be made to attenuate the assault floor: limit community entry to ports 9090 and 9091, modify the Openfire settings file, redirect the administrator console handle to the loopback interface or use the AuthFilterSanitizer plugin.
Dr.Net antivirus efficiently detects and neutralizes modifications of the JSP.BackDoor.8 backdoor, in addition to the Linux.BtcMine and Linux.BackDoor.Tsunami trojans, so they don’t pose a risk to our customers.
[ad_2]
