Malicious actors have been targeting HTTP File Servers (HFS) developed by Rejetto by taking advantage of vulnerabilities to distribute malware and install cryptocurrency mining software. One particular security flaw, known as CVE-2024-23692, has been exploited by threat actors to remotely execute arbitrary commands on the server without authentication, posing a significant risk to users.
HTTP File Server (HFS) is a commonly used lightweight web server software that facilitates file sharing over the internet. Its user-friendly setup and operation make it a popular choice for individuals looking to share files online effortlessly. However, its popularity also makes it a prime target for cybercriminals seeking to exploit vulnerabilities for their malicious activities.
The CVE-2024-23692 vulnerability affects HFS versions up to 2.3m, allowing attackers to send harmful commands remotely to compromise the server. Since its discovery, threat actors have actively exploited this flaw, prompting warnings from Rejetto advising users to avoid versions 2.3m through 2.4 due to their susceptibility to external manipulation.
AhnLab’s Security Intelligence Center (ASEC) has been monitoring multiple instances where cybercriminals exploit the CVE-2024-23692 vulnerability to infiltrate HFS servers. Once compromised, attackers typically execute commands to gather system information, create backdoor accounts, and cover their tracks by terminating the HFS process after completing their malicious actions.
According to AhnLab, “Because HFS is exposed to the public to enable users to connect to the HFS web server and download files, it can be a target for external attacks if it has a vulnerability. In May 2024, a remote code execution vulnerability (CVE-2024-23692) in HFS was announced.”
Apart from distributing malware, threat actors have been deploying CoinMiners such as XMRig to mine cryptocurrency, primarily Monero. This financial incentive has motivated groups like LemonDuck to leverage CoinMiners as part of their attack strategy. Additionally, attackers have introduced various Remote Access Trojans (RATs) and backdoor malware like XenoRAT, Gh0stRAT, and PlugX for espionage and control purposes, often associated with Chinese-speaking threat actors.
A sophisticated threat known as GoThief has also emerged, utilizing Amazon AWS services to extract sensitive information from infected systems. Developed in the Go language, GoThief captures screenshots and uploads them along with system data to a command-and-control server, posing a serious threat to users’ privacy and security.
The increasing prevalence of CVE-2024-23692 exploitation underscores the critical importance for HFS users to update to secure versions promptly. As cyber threats continue to evolve and become more sophisticated, keeping software up to date and conducting vigilant monitoring are essential steps in reducing the risks associated with vulnerable software.
In conclusion, the ongoing exploitation of vulnerabilities in HFS servers serves as a stark reminder of the evolving threat landscape in cyberspace. Users are encouraged to stay informed about security updates and best practices to protect their systems from malicious actors seeking to compromise their data and resources. Stay vigilant, stay informed, and stay secure in the digital age.