In June 2023, Doctor Web was contacted by a customer reporting an incident where attackers had been able to encrypt files on their server. The investigation revealed that the infection was implemented as part of the post-exploitation of the CVE-2023-32315 vulnerability in Openfire messaging software. This exploit performs a directory traversal attack and allows unauthorized access to the administrative interface of the Openfire software, which is used by attackers to create a new user with administrative privileges. The attackers then log in using the newly created account and install the malicious plugin helloworld-openfire-plugin-assembly.jar (SHA1:41d224784242151825aa8001a35ee339a0fef2813f), which can run arbitrary code. The plugin allows shell commands to be executed on a server that has Openfire software installed on it, as well as code, written in Java, to be launched and then transmitted to the plugin in a POST request. This is exactly how the encryption trojan was launched on our customer's server.
![[correlate]](/data/avatars/m/79/79653.jpg?1556985072){kind=avatar}
news.drweb.com
