September 25, 2023

Doctor Web is notifying users about the spread of malicious plugins for the Openfire messaging server. To date, more than 3,000 servers worldwide that have Openfire software installed on them have been affected by a vulnerability that lets hackers gain access to the file system and use the infected servers as part of a botnet.

In June 2023, Doctor Web was contacted by a customer reporting an incident where attackers had been able to encrypt files on their server. The investigation revealed that the infection was implemented as part of the post-exploitation of the CVE-2023-32315 vulnerability in Openfire messaging software. This exploit performs a directory traversal attack and allows unauthorized access to the administrative interface of the Openfire software, which is used by attackers to create a new user with administrative privileges. The attackers then log in using the newly created account and install the malicious plugin helloworld-openfire-plugin-assembly.jar (SHA1:41d224784242151825aa8001a35ee339a0fef2813f), which can run arbitrary code. The plugin allows shell commands to be executed on a server that has Openfire software installed on it, as well as code, written in Java, to be launched and then transmitted to the plugin in a POST request. This is exactly how the encryption trojan was launched on our customer's server.

To obtain a sample of this crypto malware, we created an Openfire honeypot and monitored the attacks against it for several weeks. During the time our server was running, we were able to obtain samples of three different malicious plugins. We also obtained samples of two trojans that were installed on our server after Openfire was compromised.

The first trojan is a mining trojan, written in Go, that is known as kinsing (Linux.BtcMine.546). An attack using this trojan is carried out in four stages:

1. exploitation of the CVE-2023-32315 vulnerability to create an administrative account named "OpenfireSupport".
2. authentication under the created user.
3. installation of the malicious plugin.jar (SHA1:0c6249feee3fef50fc0a5a06299c3e81681cc838) on the server.
4. the download and launch of the trojan with the help of the installed malicious plugin.

In another attack scenario, the system was infected with the Linux.BackDoor.Tsunami.1395 trojan, written in C and packed with UPX. The infection process is very similar to the previous one, except that an administrative user was created with a random name and password.

The third scenario is the most interesting because instead of installing a trojan in the system, the attackers used a malicious Openfire plugin to obtain information about the compromised server. In particular, they were interested in information about the network connections, the IP address, users, and the system’s kernel version.

The malicious plugins installed in all these cases are JSP.BackDoor.8 backdoors written in Java. These plugins can run a variety of commands in the form of GET and POST requests sent by attackers.

The vulnerability in the Openfire messaging server in question has been fixed in the updates to versions 4.6.8 and 4.7.5. Doctor Web specialists recommend upgrading to the latest versions. If this is not possible, efforts should be made to minimize the attack surface: restrict network access to ports 9090 and 9091, modify the Openfire settings file, redirect the administrator console address to the loopback interface or use the AuthFilterSanitizer plugin.

Dr.Web antivirus successfully detects and neutralizes modifications of the JSP.BackDoor.8 backdoor, as well as the Linux.BtcMine and Linux.BackDoor.Tsunami trojans, so they do not pose a threat to our users.

• Indicators of compromise
• Read more about JSP.BackDoor.8
• Read more about Linux.BtcMine
• Read more about Linux.BackDoor.Tsunami.1395