1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • Openfire messaging software targeted by hackers to hijack servers

    From TechnologyDaily@1337:1/100 to All on Wed Sep 27 17:30:04 2023
    Openfire messaging software targeted by hackers to hijack servers

    Date:
    Wed, 27 Sep 2023 17:25:10 +0000

    Description:
    More than 3,000 servers have been infected so far, with attackers deploying encryptors and botnets.

    FULL STORY ======================================================================

    If your organization is running an Openfire messaging server, make sure to install the latest patches immediately, as hackers have been observed abusing a vulnerability to take over infected endpoints.

    Cybersecurity researchers from Doctor Web were recently tipped off to the existence of a flaw by a client whose devices had been encrypted.

    A subsequent investigation uncovered the existence of CVE-2023-32315, a directory traversal vulnerability that allows threat actors to access Openfires admin interface. From there, they are able to create new admin accounts and use them to deliver different malicious Openfire plugins to the compromised endpoints. Capturing trojans in honeypots

    So far, the researchers are saying that more than 3,000 servers with Openfire software were infected. Some were targeted with encryptors, others were assimilated into a botnet and used for other forms of cyberattacks, such as distributed denial of service (DDoS).

    After setting up a honeypot, Doctor Webs researchers grabbed three malicious plugin samples, as well as two trojans. One of the trojans is called Kinsing, apparently a cryptocurrency mining software. In one case, instead of dropping a trojan, the hackers sought to obtain information about the compromised server. In

    particular, they were interested in information about the network
    connections, the IP address, users, and the systems kernel version.

    In all of these scenarios, the attackers installed the JSP.BackDoor.8 malicious plugin.

    As dangerous as it all may sound, the vulnerability has since been fixed. Those who are wary of potential attacks should make sure their Openfire messaging server is brought up to versions 4.6.8. And 4.7.5. Obviously,
    Doctor Web specialists recommend upgrading to the latest versions, but if
    that is not possible, IT teams should minimize the attack surface by restricting network access to ports 9090 and 9091, modify the Openfire settings file, redirect the admin console address to the loopback interface, or use the AuthFilterSanitizer plugin. More from TechRadar Pro Top data breaches and cyber attacks of 2022 Here's a list of the best firewalls These are the best endpoint protection services right now



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/openfire-messaging-software-targeted-by -hackers-to-hijack-servers


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)