Lately disclosed security flaws impacting Juniper firewalls, Openfire, and Apache RocketMQ servers have come beneath energetic exploitation within the wild, based on a number of reviews.
The Shadowserver Basis stated that it is “seeing exploitation makes an attempt from a number of IPs for Juniper J-Internet CVE-2023-36844 (& pals) focusing on /webauth_operation.php endpoint,” the identical day a proof-of-concept (PoC) grew to become accessible.
The problems, tracked as CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, and CVE-2023-36847, reside within the J-Internet part of Junos OS on Juniper SRX and EX Sequence. They could possibly be chained by an unauthenticated, network-based attacker to execute arbitrary code on prone installations.
Patches for the flaw had been launched on August 17, 2023, per week after which watchTowr Labs revealed a proof-of-concept (PoC) by combining CVE-2023-36846 and CVE-2023-36845 to execute a PHP file containing malicious shellcode.
At present, there are greater than 8,200 Juniper gadgets which have their J-Internet interfaces uncovered to the web, most of them from South Korea, the U.S., Hong Kong, Indonesia, Turkey, and India.
Kinsing Exploits Openfire Vulnerability
One other vulnerability that has been weaponized by menace actors is CVE-2023-32315, a high-severity path traversal bug in Openfire’s administrative console that could possibly be leveraged for distant code execution.
“This flaw permits an unauthorized consumer to use the unauthenticated Openfire Setup Setting inside a longtime Openfire configuration,” cloud security agency Aqua stated.
“Consequently, a menace actor beneficial properties entry to the admin setup recordsdata which are usually restricted throughout the Openfire Admin Console. Subsequent, the menace actor can select between both including an admin consumer to the console or importing a plugin which can finally enable full management over the server.”
Risk actors related to the Kinsing malware botnet have been noticed using the flaw to create a brand new admin consumer and add a JAR file, which comprises a file named cmd.jsp that acts as an online shell to drop and execute the malware and a cryptocurrency miner.
Aqua stated it discovered 6,419 internet-connected servers with Openfire service working, with a majority of the situations situated in China, the U.S., and Brazil.
Apache RocketMQ Vulnerability Focused by DreamBus Botnet
In an indication that menace actors are all the time looking out for brand spanking new flaws to use, an up to date model of the DreamBus botnet malware has been noticed benefiting from a critical-severity distant code execution vulnerability in RocketMQ servers to compromise gadgets.
CVE-2023-33246, as the problem is cataloged as, is a distant code execution flaw impacting RocketMQ variations 5.1.0 and beneath that allows an unauthenticated attacker to run instructions with the identical entry stage as that of the system consumer course of.
Within the assaults detected by Juniper Risk Labs since June 19, 2023, profitable exploitation of the flaw paves the way in which for the deployment of a bash script known as “reketed,” which acts because the downloader for the DreamBus botnet from a TOR hidden service.
DreamBus is a Linux-based malware that is a variant of SystemdMiner and is engineered to mine cryptocurrency on contaminated methods. Energetic since early 2019, it has been identified to be propagated by particularly exploiting distant code execution vulnerabilities.
“As a part of the set up routine, the malware terminates processes, and eliminates recordsdata related to outdated variations of itself,” security researcher Paul Kimayong stated, including it units up persistence on the host via a cron job.
“Nevertheless, the presence of a modular bot just like the DreamBus malware geared up with the flexibility to execute bash scripts offers these cybercriminals the potential to diversify their assault repertoire, together with the set up of varied different types of malware.”
Exploitation of Cisco ASA SSL VPNs to Deploy Akira Ransomware
The developments come amid cybersecurity agency Rapid7 warning of an uptick in menace exercise relationship again to March 2023 and focusing on Cisco ASA SSL VPN home equipment in an effort to deploy Akira and LockBit ransomware.
Whereas some situations have entailed using credential stuffing, exercise in others “seems to be the results of focused brute-force assaults on ASA home equipment the place multi-factor authentication (MFA) was both not enabled or was not enforced for all customers,” the corporate stated.
Cisco has acknowledged the assaults, noting that the menace actors may be buying stolen credentials from the darkish net to infiltrate organizations.
This speculation is additional bolstered by the truth that an preliminary entry dealer known as Bassterlord was noticed promoting a information on breaking into company networks in underground boards earlier this February.
“Notably, the writer claimed that they had compromised 4,865 Cisco SSL VPN providers and 9,870 Fortinet VPN providers with the username/password mixture take a look at:take a look at,” Rapid7 stated.
“It is potential that, given the timing of the darkish net dialogue and the elevated menace exercise we noticed, the guide’s instruction contributed to the uptick in brute power assaults focusing on Cisco ASA VPNs.”
The disclosures additionally arrive as unpatched Citrix NetScaler ADC and Gateway home equipment are at heightened danger of opportunistic assaults by ransomware actors who’re making use of a vital flaw within the merchandise to drop net shells and different payloads.
