Alert: Juniper Firewalls, Openfire, and Apache RocketMQ Under Attack from New Exploits
30.8.23 Exploit The Hacker News
Recently disclosed security flaws impacting Juniper firewalls, Openfire, and Apache RocketMQ servers have come under active exploitation in the wild, according to multiple reports.
The Shadowserver Foundation said that it's "seeing exploitation attempts from multiple IPs for Juniper J-Web CVE-2023-36844 (& friends) targeting /webauth_operation.php endpoint," the same day a proof-of-concept (PoC) became available.
The issues, tracked as CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, and CVE-2023-36847, reside in the J-Web component of Junos OS on Juniper SRX and EX Series. They could be chained by an unauthenticated, network-based attacker to execute arbitrary code on susceptible installations.
Patches for the flaw were released on August 17, 2023, a week after which watchTowr Labs published a proof-of-concept (PoC) by combining CVE-2023-36846 and CVE-2023-36845 to execute a PHP file containing malicious shellcode.
Currently, there are more than 8,200 Juniper devices that have their J-Web interfaces exposed to the internet, most of them from South Korea, the U.S., Hong Kong, Indonesia, Turkey, and India.
Kinsing Exploits Openfire Vulnerability#
Another vulnerability that has been weaponized by threat actors is CVE-2023-32315, a high-severity path traversal bug in Openfire's administrative console that could be leveraged for remote code execution.
"This flaw allows an unauthorized user to exploit the unauthenticated Openfire Setup Environment within an established Openfire configuration," cloud security firm Aqua said.
"As a result, a threat actor gains access to the admin setup files that are typically restricted within the Openfire Admin Console. Next, the threat actor can choose between either adding an admin user to the console or uploading a plugin which will eventually allow full control over the server."
Threat actors associated with the Kinsing malware botnet have been observed utilizing the flaw to create a new admin user and upload a JAR file, which contains a file named cmd.jsp that acts as a web shell to drop and execute the malware and a cryptocurrency miner.
Aqua said it found 6,419 internet-connected servers with Openfire service running, with a majority of the instances located in China, the U.S., and Brazil.
Apache RocketMQ Vulnerability Targeted by DreamBus Botnet#
In a sign that threat actors are always on the lookout for new flaws to exploit, an updated version of the DreamBus botnet malware has been observed taking advantage of a critical-severity remote code execution vulnerability in RocketMQ servers to compromise devices.
CVE-2023-33246, as the issue is cataloged as, is a remote code execution flaw impacting RocketMQ versions 5.1.0 and below that enables an unauthenticated attacker to run commands with the same access level as that of the system user process.
In the attacks detected by Juniper Threat Labs since June 19, 2023, successful exploitation of the flaw paves the way for the deployment of a bash script called "reketed," which acts as the downloader for the DreamBus botnet from a TOR hidden service.
DreamBus is a Linux-based malware that's a variant of SystemdMiner and is engineered to mine cryptocurrency on infected systems. Active since early 2019, it's been known to be propagated by specifically exploiting remote code execution vulnerabilities.
"As part of the installation routine, the malware terminates processes, and eliminates files associated with outdated versions of itself," security researcher Paul Kimayong said, adding it sets up persistence on the host by means of a cron job.
"However, the presence of a modular bot like the DreamBus malware equipped with the ability to execute bash scripts provides these cybercriminals the potential to diversify their attack repertoire, including the installation of various other forms of malware."
Exploitation of Cisco ASA SSL VPNs to Deploy Akira Ransomware#
The developments come amid cybersecurity firm Rapid7 warning of an uptick in threat activity dating back to March 2023 and targeting Cisco ASA SSL VPN appliances in order to deploy Akira ransomware.
While some instances have entailed the use of credential stuffing, activity in others "appears to be the result of targeted brute-force attacks on ASA appliances where multi-factor authentication (MFA) was either not enabled or was not enforced for all users," the company said.
Cisco has acknowledged the attacks, noting that the threat actors could also be purchasing stolen credentials from the dark web to infiltrate organizations.
This hypothesis is further bolstered by the fact that an initial access broker referred to as Bassterlord was observed selling a guide on breaking into corporate networks in underground forums earlier this February.
"Notably, the author claimed they had compromised 4,865 Cisco SSL VPN services and 9,870 Fortinet VPN services with the username/password combination test:test," Rapid7 said.
"It's possible that, given the timing of the dark web discussion and the increased threat activity we observed, the manual's instruction contributed to the uptick in brute force attacks targeting Cisco ASA VPNs."
The disclosures also arrive as unpatched Citrix NetScaler ADC and Gateway appliances are at heightened risk of opportunistic attacks by ransomware actors who are making use of a critical flaw in the products to drop web shells and other payloads.