Openfire messaging software targeted by hackers to hijack servers

Petya nagscreen
(Image credit: Wikipedia)

If your organization is running an Openfire messaging server, make sure to install the latest patches immediately, as hackers have been observed abusing a vulnerability to take over infected endpoints. 

Cybersecurity researchers from Doctor Web were recently tipped off to the existence of a flaw by a client whose devices had been encrypted. 

A subsequent investigation uncovered the existence of CVE-2023-32315, a directory traversal vulnerability that allows threat actors to access Openfire’s admin interface. From there, they are able to create new admin accounts and use them to deliver different malicious Openfire plugins to the compromised endpoints.

Capturing trojans in honeypots

So far, the researchers are saying that more than 3,000 servers with Openfire software were infected. Some were targeted with encryptors, others were assimilated into a botnet and used for other forms of cyberattacks, such as distributed denial of service (DDoS).

After setting up a honeypot, Doctor Web’s researchers grabbed three malicious plugin samples, as well as two trojans. One of the trojans is called Kinsing, apparently a cryptocurrency mining software. In one case, instead of dropping a trojan, the hackers sought to obtain information about the compromised server. In

particular, they were interested in information about the network connections, the IP address, users, and the system’s kernel version.

In all of these scenarios, the attackers installed the JSP.BackDoor.8 malicious plugin. 

As dangerous as it all may sound, the vulnerability has since been fixed. Those who are wary of potential attacks should make sure their Openfire messaging server is brought up to versions 4.6.8. And 4.7.5. Obviously, Doctor Web specialists recommend upgrading to the latest versions, but if that is not possible, IT teams should minimize the attack surface by restricting network access to ports 9090 and 9091, modify the Openfire settings file, redirect the admin console address to the loopback interface, or use the AuthFilterSanitizer plugin. 

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.