Cyberattackers Swarm OpenFire Cloud Servers With Takeover Barrage

The Kinsing cybercrime group is back with a new attack vector: Pummeling a previously disclosed path traversal flaw in the Openfire enterprise messaging application to create unauthenticated admin users. From there, they gain full control of Openfire cloud servers, and can upload the malware and a Monero cryptominer to compromised platforms.

Researchers from Aqua Nautilus have observed more than 1,000 attacks in less than two months that exploit the Openfire vulnerability, CVE-2023-32315, which was disclosed and patched in May, they revealed in a blog post this week. However, just last week the CISA added the flaw to its catalog of known exploited vulnerabilities.

Openfire is a Web-based real-time collaboration (RTC) server used as a chat platform over XMPP that supports more than 50,000 concurrent users. By design, it's supposed to be a secure and segmented way for enterprise users to communicate across departments and across remote work locations.

The flaw, however, makes Openfire's administrative console vulnerable to path traversal attack via its setup environment, allowing an unauthenticated, regular user to access pages in the console reserved for administrative users.

Attackers have been doing just that, authenticating themselves as administrators to upload malicious plugins and eventually take over control of the Openfire server for the purpose of mining crypto, according to Aqua Nautilus. Kinsing is a Golang-based malware best known for its targeting of Linux; however, Microsoft researchers recently observed an evolution in its tactics to pivot to other environments.

"This Kinsing campaign exploits the vulnerability, drops in runtime Kinsing malware and a cryptominer, [and] tries to evade detection and gain persistence," Aqua Nautilus security data analyst Nitzan Yaakov and lead data analyst Assaf Morag wrote in the post.

Technical Details on Kinsing Attacks on OpenFire

Aqua Nautilus researchers created an Openfire honeypot in the beginning of July that they said immediately was targeted, with 91% of attacks attributed to the Kinsing campaign. Specifically, they discovered two types of attacks, the most prevalent one of which deploys a Web shell and enables the attacker to download Kinsing malware and cryptominers. Indeed, taking over cloud servers for the purpose of cryptomining has been a hallmark of the Kinsing group.

In the latest Kinsing attacks, the threat actors exploit the vulnerability to create a new admin user and upload a plugin, cmd.jsp, which was designed to deploy the Kinsing malware payload. Once this is done, attackers proceed with a valid authentication process for the Openfire Administration Panel, gaining complete access as an authenticated admin user and ultimately giving them free rein over the app and the server on which it's running.
Next, attackers upload a Metasploit exploit in a .ZIP file, which extends the plugin to enable http requests at their disposal, allowing them to download Kinsing, which is hard-coded in the plugin, the researchers said.

The malware then communicates with command-and-control and downloads a shell script as a secondary payload that creates persistence on the server, allowing for further attack activity, which includes the deployment of a Monero cryptominer.

The second, less prevalent attack that the researchers observed in their honeypot involves the same Metasploit exploit. However, so far attackers only used this vector to collect system info and have not proceeded further, the researchers said.

How Can Enterprises Secure the OpenFire Environment?

A Shodan search turned up 6,419 Internet-connected servers with the Openfire service running, 5,036 of which were reachable. Of those, 984, or 19.5%, were vulnerable to the CVE-2023-32315 flaw; these are located mainly in the US, China, and Brazil. 

There could be many more systems at risk, however, from attackers who gain access to the environment in other ways. Aqua Nautilus is urging administrators of any enterprise system with Openfire deployed to identify if their instance is vulnerable, and patch and secure as appropriate. To help do this, the researchers provided screenshots that show their own validation process in the blog post.

Enterprises also should steer clear of employing default settings and ensure that passwords adhere to best practices, with a regular refresh of both secrets and passwords to further bolster the security of environments.

Additionally, since threat actors are progressively refining their tactics and masking malicious activity in what appears to be legitimate operations, enterprises should deploy runtime detection and response solutions to identify anomalies and issue alerts about malicious activities, the researchers said.