A short while ago disclosed security flaws impacting Juniper firewalls, Openfire, and Apache RocketMQ servers have arrive underneath lively exploitation in the wild, in accordance to various experiences.
The Shadowserver Basis explained that it can be “seeing exploitation attempts from multiple IPs for Juniper J-Web CVE-2023-36844 (& pals) targeting /webauth_operation.php endpoint,” the identical working day a evidence-of-principle (PoC) turned offered.
The issues, tracked as CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, and CVE-2023-36847, reside in the J-Web part of Junos OS on Juniper SRX and EX Series. They could be chained by an unauthenticated, network-centered attacker to execute arbitrary code on susceptible installations.
Patches for the flaw were unveiled on August 17, 2023, a 7 days following which watchTowr Labs published a evidence-of-strategy (PoC) by combining CVE-2023-36846 and CVE-2023-36845 to execute a PHP file made up of malicious shellcode.
At the moment, there are a lot more than 8,200 Juniper units that have their J-Web interfaces uncovered to the internet, most of them from South Korea, the U.S., Hong Kong, Indonesia, Turkey, and India.
Kinsing Exploits Openfire Vulnerability
Yet another vulnerability that has been weaponized by danger actors is CVE-2023-32315, a large-severity path traversal bug in Openfire’s administrative console that could be leveraged for remote code execution.
“This flaw allows an unauthorized person to exploit the unauthenticated Openfire Set up Surroundings in just an established Openfire configuration,” cloud security firm Aqua mentioned.
“As a result, a threat actor gains entry to the admin setup data files that are normally restricted within the Openfire Admin Console. Following, the menace actor can opt for in between either including an admin consumer to the console or uploading a plugin which will at some point permit full handle more than the server.”
Menace actors related with the Kinsing malware botnet have been noticed utilizing the flaw to create a new admin user and upload a JAR file, which has a file named cmd.jsp that functions as a web shell to drop and execute the malware and a cryptocurrency miner.
Aqua explained it observed 6,419 internet-connected servers with Openfire support working, with a bulk of the instances situated in China, the U.S., and Brazil.
Apache RocketMQ Vulnerability Focused by DreamBus Botnet
In a sign that threat actors are generally on the lookout for new flaws to exploit, an updated version of the DreamBus botnet malware has been observed using advantage of a critical-severity distant code execution vulnerability in RocketMQ servers to compromise equipment.
CVE-2023-33246, as the issue is cataloged as, is a distant code execution flaw impacting RocketMQ versions 5.1. and below that allows an unauthenticated attacker to operate commands with the same entry amount as that of the technique person method.
In the attacks detected by Juniper Menace Labs given that June 19, 2023, prosperous exploitation of the flaw paves the way for the deployment of a bash script termed “reketed,” which acts as the downloader for the DreamBus botnet from a TOR hidden assistance.
DreamBus is a Linux-based malware that is a variant of SystemdMiner and is engineered to mine cryptocurrency on contaminated systems. Lively given that early 2019, it is been identified to be propagated by precisely exploiting distant code execution vulnerabilities.
“As element of the set up regimen, the malware terminates processes, and gets rid of files involved with out-of-date variations of itself,” security researcher Paul Kimayong reported, introducing it sets up persistence on the host by implies of a cron job.
“On the other hand, the presence of a modular bot like the DreamBus malware outfitted with the capacity to execute bash scripts gives these cybercriminals the probable to diversify their attack repertoire, like the installation of various other varieties of malware.”
Exploitation of Cisco ASA SSL VPNs to Deploy Akira Ransomware
The developments arrive amid cybersecurity organization Swift7 warning of an uptick in menace action courting again to March 2023 and concentrating on Cisco ASA SSL VPN appliances in buy to deploy Akira ransomware.
Although some situations have entailed the use of credential stuffing, exercise in other folks “seems to be the final result of specific brute-pressure attacks on ASA appliances exactly where multi-factor authentication (MFA) was either not enabled or was not enforced for all people,” the organization explained.
Cisco has acknowledged the attacks, noting that the threat actors could also be buying stolen credentials from the dark web to infiltrate corporations.
This hypothesis is even further bolstered by the reality that an original obtain broker referred to as Bassterlord was noticed selling a guide on breaking into company networks in underground community forums previously this February.
“Notably, the writer claimed they experienced compromised 4,865 Cisco SSL VPN expert services and 9,870 Fortinet VPN companies with the username/password combination test:take a look at,” Quick7 reported.
“It is attainable that, supplied the timing of the dark web dialogue and the greater threat action we noticed, the manual’s instruction contributed to the uptick in brute force attacks focusing on Cisco ASA VPNs.”
The disclosures also arrive as unpatched Citrix NetScaler ADC and Gateway appliances are at heightened risk of opportunistic attacks by ransomware actors who are building use of a critical flaw in the products and solutions to drop web shells and other payloads.
Observed this report appealing? Comply with us on Twitter and LinkedIn to read far more special material we put up.
Some components of this short article are sourced from: