The Kinsing cybercrime group has discovered a new method of attack: exploiting a previously identified path traversal flaw in the Openfire enterprise messaging application. This allows the group to create unauthenticated admin users, giving them full control of Openfire cloud servers, and enabling them to upload malware and a Monero cryptominer to compromised platforms.
Aqua Nautilus researchers have reported over 1,000 attacks in less than two months that exploit the Openfire vulnerability, CVE-2023-32315. This flaw was disclosed and patched in May, but was recently added to the CISA's catalog of known exploited vulnerabilities.
Openfire is a web-based real-time collaboration server used as a chat platform over XMPP, supporting more than 50,000 concurrent users. It's designed to provide a secure and segmented communication method for enterprise users across departments and remote work locations. However, the flaw makes Openfire's administrative console susceptible to path traversal attack via its setup environment. This allows an unauthenticated user to access pages in the console reserved for administrative users.
Attackers have exploited this flaw, authenticating themselves as administrators to upload malicious plugins and take over control of the Openfire server for crypto mining. Kinsing, a Golang-based malware known for targeting Linux, has evolved its tactics to pivot to other environments. The Kinsing campaign exploits the vulnerability, drops in runtime Kinsing malware and a cryptominer, and tries to evade detection and gain persistence, according to Nitzan Yaakov and Assaf Morag from Aqua Nautilus.
The researchers set up an Openfire honeypot in early July, which was immediately targeted, with 91% of attacks attributed to the Kinsing campaign. They discovered two types of attacks, the most common of which deploys a Web shell and enables the attacker to download Kinsing malware and cryptominers. The Kinsing group is known for taking over cloud servers for cryptomining.
In the latest attacks, the threat actors exploit the vulnerability to create a new admin user and upload a plugin, cmd.jsp, designed to deploy the Kinsing malware payload. After this, they go through a valid authentication process for the Openfire Administration Panel, gaining complete access as an authenticated admin user and ultimately taking control over the app and the server it runs on.
The attackers then upload a Metasploit exploit in a .ZIP file, extending the plugin to enable http requests at their disposal. This allows them to download Kinsing, which is hard-coded in the plugin. The malware communicates with command-and-control and downloads a shell script as a secondary payload, creating persistence on the server for further attack activity, including the deployment of a Monero cryptominer.
Aqua Nautilus urges administrators of any enterprise system with Openfire deployed to identify if their instance is vulnerable, and to patch and secure it as necessary. They also recommend not using default settings, ensuring that passwords are in line with best practices, and regularly refreshing secrets and passwords to further enhance the security of environments. Additionally, as threat actors continue to refine their tactics and hide malicious activity in seemingly legitimate operations, enterprises should deploy runtime detection and response solutions to identify anomalies and issue alerts about malicious activities.