Threat Intelligence, Incident Response, Ransomware
Attacks targeting Openfire vulnerability underway
BleepingComputer reports that vulnerable Openfire messaging servers impacted by the already addressed high-severity authentication bypass flaw, tracked as CVE-2023-32315, are being subjected to ongoing attacks aimed at ransomware encryption and cryptominer distribution.
New Openfire admin accounts created through the exploitation of the vulnerability have been leveraged by threat actors to facilitate the installation of malicious JAR plugins with arbitrary code execution capabilities before proceeding with the deployment of various payloads, including the Kinsing cryptomining trojan and a C-based UPX-packed backdoor, a Dr. Web report revealed. Attackers have also used a malicious Openfire plugin to enable compromised server data exfiltration.
Numerous Openfire servers were also reported to have been encrypted with ransomware, with a customer noting that the .locked1 extension has been appended to encrypted files. Threat actors behind the .locked1 ransomware attacks, which began compromising Openfire servers in June, have been known to target other vulnerable web servers, as well as demand .09 to .12 bitcoins in exchange for decryption.
An In-Depth Guide to Ransomware
Get essential knowledge and practical strategies to protect your organization from ransomware attacks.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds