- May 4, 2019
- Content source
In June 2023, Doctor Web was contacted by a customer reporting an incident where attackers had been able to encrypt files on their server. The investigation revealed that the infection was implemented as part of the post-exploitation of the CVE-2023-32315 vulnerability in Openfire messaging software. This exploit performs a directory traversal attack and allows unauthorized access to the administrative interface of the Openfire software, which is used by attackers to create a new user with administrative privileges. The attackers then log in using the newly created account and install the malicious plugin helloworld-openfire-plugin-assembly.jar (SHA1:41d224784242151825aa8001a35ee339a0fef2813f), which can run arbitrary code. The plugin allows shell commands to be executed on a server that has Openfire software installed on it, as well as code, written in Java, to be launched and then transmitted to the plugin in a POST request. This is exactly how the encryption trojan was launched on our customer's server.
Doctor Web is notifying users about the spread of malicious plugins for the Openfire messaging server. To date, more than 3,000 servers worldwide that have Openfire software installed on them have been affected by a vulnerability that lets hackers gain access to the file system and use the...