The notorious Kinsing cybercrime group is making a comeback with a new attack vector, exploiting a previously disclosed vulnerability in the Openfire enterprise messaging application. By leveraging this flaw, known as CVE-2023-32315, the attackers are able to create unauthenticated admin users, granting them full control of Openfire cloud servers. Once compromised, the attackers proceed to upload malware and a Monero cryptominer to exploit the compromised platforms for financial gain.
Security researchers from Aqua Nautilus have been closely monitoring this latest wave of attacks and have observed over 1,000 instances of exploitation in less than two months. The vulnerability was initially disclosed and patched in May, but the Cybersecurity and Infrastructure Security Agency (CISA) only recently added it to its catalog of known exploited vulnerabilities. This highlights the severity and widespread impact of the campaign.
Openfire is a popular web-based real-time collaboration (RTC) server that supports over 50,000 concurrent users. It is designed to enable secure communication between enterprise users across various departments and locations. However, the path traversal flaw in Openfire’s administrative console has exposed it to malicious exploitation. Attackers have been able to bypass authentication measures and gain access to administrative pages reserved for authorized users.
The attackers behind the Kinsing campaign have taken advantage of this vulnerability to authenticate themselves as administrators and upload malicious plugins. This gives them complete control over the compromised Openfire servers, which they utilize for crypto mining purposes. Kinsing has primarily targeted Linux systems in the past, but recent observations by Microsoft researchers indicate that the group has expanded its tactics to pivot to other environments.
Aqua Nautilus security analysts Nitzan Yaakov and Assaf Morag provided technical details of the Kinsing attacks on Openfire. They deployed an Openfire honeypot in early July, which immediately became a target for attackers. Approximately 91% of the attacks identified were attributed to the Kinsing campaign. Two types of attacks were observed, with the most prevalent involving the deployment of a web shell that allows the attackers to download Kinsing malware and cryptominers. Crypto mining has always been a primary objective for the Kinsing group.
In the latest wave of attacks, the threat actors exploit the path traversal vulnerability to create a new admin user and upload a plugin called cmd.jsp. This plugin is specifically designed to deploy the Kinsing malware payload. Once the plugin is successfully uploaded, the attackers proceed with a valid authentication process for the Openfire Administration Panel, granting them full access as authenticated admin users. This effectively hands over complete control of the application and the server it operates on to the attackers.
To further expand their capabilities, the attackers upload a Metasploit exploit in a .ZIP file, which enhances the functionality of the plugin and allows for additional attack techniques. Kinsing is hard-coded within the plugin itself. Aqua Nautilus researchers also discovered that the malware establishes communication with command-and-control servers and downloads a shell script as a secondary payload. This script ensures persistence on the compromised server and facilitates further attack activities, including the deployment of a Monero cryptominer.
While this specific attack vector seems to be the most prevalent, Aqua Nautilus also identified a less common attack pattern involving the same Metasploit exploit. However, the attackers utilizing this vector have not progressed beyond collecting system information.
Enterprises that have deployed Openfire systems are advised to take immediate action to secure their environments. A Shodan search revealed over 6,000 Internet-connected servers running the Openfire service, with approximately 20% of them vulnerable to the CVE-2023-32315 flaw. Aqua Nautilus urges administrators to verify if their instances are vulnerable and promptly apply patches and security measures to mitigate the risk. Additionally, it is crucial to avoid default settings and ensure that passwords adhere to best practices. Regular password and secret refreshes can further enhance the security posture of these environments.
Given the evolving tactics employed by threat actors, it is recommended that enterprises deploy runtime detection and response solutions. These solutions can help identify anomalies and raise alerts about malicious activities, even when attackers attempt to mask their actions as legitimate operations.
The resurgence of the Kinsing cybercrime group highlights the ongoing threats faced by organizations and reinforces the need for proactive security measures. By promptly addressing vulnerabilities and implementing robust security practices, enterprises can better defend against such attacks and safeguard their critical systems and data.