HomeVulnerabilityJuniper Firewalls, Openfire, and Apache RocketMQ Underneath Attack from New Exploits

Juniper Firewalls, Openfire, and Apache RocketMQ Underneath Attack from New Exploits

Lately disclosed security flaws impacting Juniper firewalls, Openfire, and Apache RocketMQ servers have come beneath energetic exploitation within the wild, based on a number of reviews.

The Shadowserver Basis stated that it is “seeing exploitation makes an attempt from a number of IPs for Juniper J-Internet CVE-2023-36844 (& pals) focusing on /webauth_operation.php endpoint,” the identical day a proof-of-concept (PoC) grew to become accessible.

The problems, tracked as CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, and CVE-2023-36847, reside within the J-Internet part of Junos OS on Juniper SRX and EX Sequence. They could possibly be chained by an unauthenticated, network-based attacker to execute arbitrary code on prone installations.

Patches for the flaw had been launched on August 17, 2023, per week after which watchTowr Labs revealed a proof-of-concept (PoC) by combining CVE-2023-36846 and CVE-2023-36845 to execute a PHP file containing malicious shellcode.

At present, there are greater than 8,200 Juniper gadgets which have their J-Internet interfaces uncovered to the web, most of them from South Korea, the U.S., Hong Kong, Indonesia, Turkey, and India.

Kinsing Exploits Openfire Vulnerability

One other vulnerability that has been weaponized by menace actors is CVE-2023-32315, a high-severity path traversal bug in Openfire’s administrative console that could possibly be leveraged for distant code execution.

“This flaw permits an unauthorized consumer to use the unauthenticated Openfire Setup Setting inside a longtime Openfire configuration,” cloud security agency Aqua stated.

See also  ASUS warns of vital distant authentication bypass on 7 routers

“Consequently, a menace actor beneficial properties entry to the admin setup recordsdata which are usually restricted throughout the Openfire Admin Console. Subsequent, the menace actor can select between both including an admin consumer to the console or importing a plugin which can finally enable full management over the server.”

Linux

Risk actors related to the Kinsing malware botnet have been noticed using the flaw to create a brand new admin consumer and add a JAR file, which comprises a file named cmd.jsp that acts as an online shell to drop and execute the malware and a cryptocurrency miner.

Aqua stated it discovered 6,419 internet-connected servers with Openfire service working, with a majority of the situations situated in China, the U.S., and Brazil.

Apache RocketMQ Vulnerability Focused by DreamBus Botnet

In an indication that menace actors are all the time looking out for brand spanking new flaws to use, an up to date model of the DreamBus botnet malware has been noticed benefiting from a critical-severity distant code execution vulnerability in RocketMQ servers to compromise gadgets.

CVE-2023-33246, as the problem is cataloged as, is a distant code execution flaw impacting RocketMQ variations 5.1.0 and beneath that allows an unauthenticated attacker to run instructions with the identical entry stage as that of the system consumer course of.

Linux

Within the assaults detected by Juniper Risk Labs since June 19, 2023, profitable exploitation of the flaw paves the way in which for the deployment of a bash script known as “reketed,” which acts because the downloader for the DreamBus botnet from a TOR hidden service.

See also  Shut the barn door now! Keep away from the chance of not monitoring retained entry earlier than it’s an issue

DreamBus is a Linux-based malware that is a variant of SystemdMiner and is engineered to mine cryptocurrency on contaminated methods. Energetic since early 2019, it has been identified to be propagated by particularly exploiting distant code execution vulnerabilities.

“As a part of the set up routine, the malware terminates processes, and eliminates recordsdata related to outdated variations of itself,” security researcher Paul Kimayong stated, including it units up persistence on the host via a cron job.

“Nevertheless, the presence of a modular bot just like the DreamBus malware geared up with the flexibility to execute bash scripts offers these cybercriminals the potential to diversify their assault repertoire, together with the set up of varied different types of malware.”

Exploitation of Cisco ASA SSL VPNs to Deploy Akira Ransomware

The developments come amid cybersecurity agency Rapid7 warning of an uptick in menace exercise relationship again to March 2023 and focusing on Cisco ASA SSL VPN home equipment in an effort to deploy Akira and LockBit ransomware.

See also  Software program security debt piles up for organizations whilst crucial flaws drop

Whereas some situations have entailed using credential stuffing, exercise in others “seems to be the results of focused brute-force assaults on ASA home equipment the place multi-factor authentication (MFA) was both not enabled or was not enforced for all customers,” the corporate stated.

Juniper Firewalls, Openfire, and Apache RocketMQ

Cisco has acknowledged the assaults, noting that the menace actors may be buying stolen credentials from the darkish net to infiltrate organizations.

This speculation is additional bolstered by the truth that an preliminary entry dealer known as Bassterlord was noticed promoting a information on breaking into company networks in underground boards earlier this February.

“Notably, the writer claimed that they had compromised 4,865 Cisco SSL VPN providers and 9,870 Fortinet VPN providers with the username/password mixture take a look at:take a look at,” Rapid7 stated.

“It is potential that, given the timing of the darkish net dialogue and the elevated menace exercise we noticed, the guide’s instruction contributed to the uptick in brute power assaults focusing on Cisco ASA VPNs.”

The disclosures additionally arrive as unpatched Citrix NetScaler ADC and Gateway home equipment are at heightened danger of opportunistic assaults by ransomware actors who’re making use of a vital flaw within the merchandise to drop net shells and different payloads.

- Advertisment -spot_img
RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -

Most Popular