The Rising Threat: OpenFire Cloud Servers Under Siege in Cyberattacks

The Kinsing Cybercrime Group Exploits Openfire Vulnerability to Attack Cloud Servers

The Kinsing cybercrime group has recently been observed using a new attack vector to compromise Openfire enterprise messaging application and gain control of Openfire cloud servers. Aqua Nautilus researchers have reported over 1,000 attacks in less than two months that exploit the Openfire vulnerability known as CVE-2023-32315. While the flaw was previously disclosed and patched in May, it has continued to be exploited by the Kinsing group, leading to the compromise of numerous platforms.

Openfire is a Web-based real-time collaboration (RTC) server commonly used as a chat platform over XMPP, supporting thousands of concurrent users. It is designed to provide secure and segmented communication for enterprise users across departments and remote locations. However, the vulnerability in Openfire‘s administrative console allows unauthenticated regular users to access pages reserved for administrative use, paving the way for attackers to authenticate themselves as administrators and upload malicious plugins, including a Monero cryptominer.

Kinsing is a well-known Golang-based malware that primarily targets Linux systems. However, Microsoft researchers have recently observed a shift in Kinsing’s tactics to target other environments as well. In this particular campaign, Kinsing targets Openfire servers, drops the Kinsing malware and a cryptominer, and attempts to evade detection and gain persistence on compromised servers.

Technical Details

Aqua Nautilus researchers deployed an Openfire honeypot in July, and it was immediately targeted by the Kinsing campaign. They observed two types of attacks, with the most prevalent one deploying a Web shell that enables the attacker to download Kinsing malware and cryptominers. The attackers exploit the Openfire vulnerability to create a new admin user and upload a plugin called cmd.jsp, which deploys the Kinsing malware payload. The attackers then proceed to authenticate themselves as administrators, gaining complete access to the Openfire Administration Panel and the server it is running on.

Next, the attackers upload a Metasploit exploit in a .ZIP file, which extends the plugin’s functionality and enables further attack activity. The Kinsing malware communicates with a command-and-control server, allowing the attacker to download a shell script that creates persistence on the compromised server and deploys a Monero cryptominer. The researchers also noted a less prevalent attack vector where attackers only collect system info using the Metasploit exploit without proceeding further.

Securing the OpenFire Environment

Enterprises that have Openfire deployed need to take immediate steps to secure their environments. A Shodan search highlighted that there are 6,419 Internet-connected servers running the Openfire service, and 5,036 of these are reachable. Alarmingly, 19.5% (984) of the reachable servers are vulnerable to the CVE-2023-32315 flaw. These vulnerable servers are mainly located in the US, China, and Brazil.

Administrators running Openfire are strongly advised to check if their instances are vulnerable and apply the necessary patches and security measures. Aqua Nautilus researchers have provided helpful screenshots in their blog post to assist administrators in the validation process. It is also crucial for enterprises to avoid using default settings and employ strong and regularly refreshed passwords adhering to best practices. Regularly updating secrets and passwords adds an extra layer of security to the environment.

As threat actors constantly refine their tactics and attempt to mask malicious activity as legitimate operations, enterprises should consider deploying runtime detection and response solutions. These solutions can help identify anomalies and issue alerts in response to malicious activities. Proactive monitoring and response mechanisms are essential in combating evolving cyber threats.

Editorial: The Significance of Openfire Vulnerability

The recent exploitation of the Openfire vulnerability by the Kinsing cybercrime group underscores the critical importance of maintaining robust security practices and staying updated on software vulnerabilities and their corresponding patches. Enterprises need to prioritize security and enact measures to secure their systems and valuable data.

The incident also highlights the need for greater collaboration between security researchers, software developers, and enterprise administrators to address vulnerabilities promptly and effectively. Timely disclosure, patching, and implementation of security solutions can significantly reduce the likelihood and impact of such cyberattacks.

In an increasingly interconnected world where cloud services and internet-based platforms play a vital role in business operations, the onus falls on all stakeholders to ensure the security of critical applications and infrastructure. Cybersecurity must remain a top priority to safeguard sensitive information, protect against financial and reputational damage, and maintain the trust of stakeholders.

Advice for Enterprises

To mitigate the risk posed by the Openfire vulnerability and defend against similar attacks, enterprises should consider the following steps:

1. Regularly update and patch software: Stay vigilant about security updates and patches, and ensure they are promptly applied to all systems and applications. Regularly updating software is an essential defense against known vulnerabilities.

2. Strengthen access controls: Implement strong password policies and multi-factor authentication to secure access to critical systems. Avoid default settings and ensure that passwords and secrets are periodically refreshed.

3. Deploy runtime detection and response solutions: Utilize advanced security solutions that can identify anomalies and issue alerts about malicious activities in real-time. These solutions can help detect and respond to evolving threats before they cause significant damage.

4. Collaborate with security experts: Engage with cybersecurity professionals and researchers to stay informed about emerging threats and best practices. Establish strong partnerships to proactively address potential vulnerabilities and respond effectively to incidents.

By taking a proactive and comprehensive approach to cybersecurity, enterprises can significantly reduce the risk of falling victim to cybercrime groups like Kinsing and maintain the integrity of their systems and data.