CarderPlanet
Professional
A software bug made in 2015 was discovered by hackers and is being actively exploited.
Hackers are actively exploiting a critical vulnerability in Openfire messaging servers to encrypt servers with ransomware software, as well as to deploy cryptominers.
Openfire is a widely used Java-based open chat server (XMPP) that has been downloaded over 9 million times. It is used for secure multi-platform communication.
The vulnerability, identified as CVE-2023-32315, is related to bypassing authentication in the Openfire administrative console. This allows unauthorized attackers to create new administrative accounts on vulnerable servers.
Attackers use these accounts to install malicious Java plugins that execute commands received via HTTP requests.
The vulnerability affects all versions of Openfire from 3.10.0 (2015) to 4.6.7, as well as from 4.7.0 to 4.7.4. Although the problem was resolved in versions 4.6.8, 4.7.5 and 4.8.0 released in May 2023, by mid-August , more than 3,000 Openfire servers were still using the affected version.
The Russian company Dr. Web reported signs of active exploitation of the vulnerability. The first case was recorded in June 2023, when the company investigated a ransomware attack on a server hacked due to the exploitation of CVE-2023-32315.
The attackers took advantage of this breach to create a new administrator user in Openfire, log in, and use it to install a malicious JAR plugin that can run arbitrary code.
"The plugin allows you to execute interpreter commands with a command-line command on a server with Openfire software installed, as well as run code written in Java, which is passed in a POST request to the plugin," the researchers said.
Among all the malicious java plugins detected, the following were noted: "helloworld-openfire-plugin-assembly.jar", " product.jar» и «bookmarks-openfire-plugin-assembly.jar».
In addition to ransomware, Dr. Web also identified additional Trojans used in these attacks, including a Go-based cryptominer called Kinsing.
In addition to Dr. Web, attacks on Openfire servers are also reported by some foreign media outlets. So, the servers of one of the foreign companies were encrypted with the extension". locked1", and for restoring access, the attackers demanded a relatively small ransom by extortionist standards — from 0.09 to 0.12 bitcoins (2300 – 3500 dollars).
Experts strongly recommend that Openfire customers update their server software to the latest versions to ensure maximum security and data protection.
Hackers are actively exploiting a critical vulnerability in Openfire messaging servers to encrypt servers with ransomware software, as well as to deploy cryptominers.
Openfire is a widely used Java-based open chat server (XMPP) that has been downloaded over 9 million times. It is used for secure multi-platform communication.
The vulnerability, identified as CVE-2023-32315, is related to bypassing authentication in the Openfire administrative console. This allows unauthorized attackers to create new administrative accounts on vulnerable servers.
Attackers use these accounts to install malicious Java plugins that execute commands received via HTTP requests.
The vulnerability affects all versions of Openfire from 3.10.0 (2015) to 4.6.7, as well as from 4.7.0 to 4.7.4. Although the problem was resolved in versions 4.6.8, 4.7.5 and 4.8.0 released in May 2023, by mid-August , more than 3,000 Openfire servers were still using the affected version.
The Russian company Dr. Web reported signs of active exploitation of the vulnerability. The first case was recorded in June 2023, when the company investigated a ransomware attack on a server hacked due to the exploitation of CVE-2023-32315.
The attackers took advantage of this breach to create a new administrator user in Openfire, log in, and use it to install a malicious JAR plugin that can run arbitrary code.
"The plugin allows you to execute interpreter commands with a command-line command on a server with Openfire software installed, as well as run code written in Java, which is passed in a POST request to the plugin," the researchers said.
Among all the malicious java plugins detected, the following were noted: "helloworld-openfire-plugin-assembly.jar", " product.jar» и «bookmarks-openfire-plugin-assembly.jar».
In addition to ransomware, Dr. Web also identified additional Trojans used in these attacks, including a Go-based cryptominer called Kinsing.
In addition to Dr. Web, attacks on Openfire servers are also reported by some foreign media outlets. So, the servers of one of the foreign companies were encrypted with the extension". locked1", and for restoring access, the attackers demanded a relatively small ransom by extortionist standards — from 0.09 to 0.12 bitcoins (2300 – 3500 dollars).
Experts strongly recommend that Openfire customers update their server software to the latest versions to ensure maximum security and data protection.
