Cyberattackers Swarm OpenFire Cloud Servers With Takeover Barrage

The Kinsing threat group has launched more than 1,000 cyberattacks in less than two months, exploiting a security vulnerability in the internal corporate messaging app in order to upload the malware and a cryptominer.

The Kinsing cybercrime group is back with a new attack vector: Pummeling a previously disclosed path traversal flaw in the Openfire enterprise messaging application to create unauthenticated admin users. From there, they gain full control of Openfire cloud servers, and can upload the malware and a Monero cryptominer to compromised platforms.
Researchers from Aqua Nautilus have observed more than 1,000 attacks in less than two months that exploit the Openfire vulnerability, CVE-2023-32315, which was
disclosed and patched
in May, they revealed in
a blog post
this week. However, just last week the
CISA added the flaw
to its catalog of known
exploited vulnerabilities
.
Openfire is a Web-based real-time collaboration (RTC) server used as a chat platform over XMPP that supports more than 50,000 concurrent users. By design, its supposed to be a secure and segmented way for enterprise users to communicate across departments and across remote work locations.
The flaw, however, makes Openfires administrative console vulnerable to path traversal attack via its setup environment, allowing an unauthenticated, regular user to access pages in the console reserved for administrative users.
Attackers have been doing just that, authenticating themselves as administrators to upload malicious plugins and eventually take over control of the Openfire server for the purpose of mining crypto, according to Aqua Nautilus. Kinsing is a Golang-based malware best known for
its targeting of Linux
; however,
Microsoft researchers
recently observed an evolution in its tactics to
pivot to other environments
.
This Kinsing campaign exploits the vulnerability, drops in runtime Kinsing malware and a cryptominer, [and] tries to evade detection and gain persistence, Aqua Nautilus security data analyst Nitzan Yaakov and lead data analyst Assaf Morag wrote in the post.
Aqua Nautilus researchers created an Openfire honeypot in the beginning of July that they said immediately was targeted, with 91% of attacks attributed to the Kinsing campaign. Specifically, they discovered two types of attacks, the most prevalent one of which deploys a Web shell and enables the attacker to download Kinsing malware and cryptominers. Indeed,
taking over cloud servers for the purpose of cryptomining
has been a hallmark of the Kinsing group.
In the latest Kinsing attacks, the threat actors exploit the vulnerability to create a new admin user and upload a plugin, cmd.jsp, which was designed to deploy the Kinsing malware payload. Once this is done, attackers proceed with a valid authentication process for the Openfire Administration Panel, gaining complete access as an authenticated admin user and ultimately giving them free rein over the app and the server on which its running.
Next, attackers upload a Metasploit exploit in a .ZIP file, which extends the plugin to enable http requests at their disposal, allowing them to download Kinsing, which is hard-coded in the plugin, the researchers said.
The malware then communicates with command-and-control and downloads a shell script as a secondary payload that creates persistence on the server, allowing for further attack activity, which includes the deployment of a Monero cryptominer.
The second, less prevalent attack that the researchers observed in their honeypot involves the same Metasploit exploit. However, so far attackers only used this vector to collect system info and have not proceeded further, the researchers said.
A Shodan search turned up 6,419 Internet-connected servers with the Openfire service running, 5,036 of which were reachable. Of those, 984, or 19.5%, were vulnerable to the CVE-2023-32315 flaw; these are located mainly in the US, China, and Brazil.
There could be many more systems at risk, however, from attackers who gain access to the environment in other ways. Aqua Nautilus is urging administrators of any enterprise system with Openfire deployed to identify if their instance is vulnerable, and patch and secure as appropriate. To help do this, the researchers provided screenshots that show their own validation process in the blog post.
Enterprises also should steer clear of employing default settings and ensure that passwords adhere to best practices, with a regular refresh of both secrets and passwords to further bolster the security of environments.
Additionally, since threat actors are progressively refining their tactics and masking malicious activity in what appears to be legitimate operations, enterprises should deploy
runtime detection and response
solutions to identify anomalies and issue alerts about malicious activities, the researchers said.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Cyberattackers Swarm OpenFire Cloud Servers With Takeover Barrage