Cybersecurity researchers have identified a wave of attacks targeting outdated versions of the HTTP File Server (HFS) software from Rejetto, aiming to distribute malware and cryptocurrency mining tools. These attacks exploit a critical security flaw known as CVE-2024-23692, which allows hackers to execute arbitrary commands without needing authentication.
CVE-2024-23692 is a high-severity vulnerability discovered by security researcher Arseniy Sharoglazov. It was publicly disclosed in May this year, following a detailed technical report. The flaw is a template injection vulnerability that enables remote attackers to send specially crafted HTTP requests to execute commands on the affected systems. The vulnerability affects HFS versions up to and including 2.3m. In response, Rejetto has issued a warning to users, advising against the use of these versions due to their susceptibility to control by attackers.
Researchers at AhnLab Security Intelligence Center (ASEC) have observed multiple attacks on version 2.3m of HFS. This version remains popular among individuals, small teams, educational institutions, and developers for network file sharing. The attacks likely began after the release of Metasploit modules and proof-of-concept exploits soon after the vulnerability's disclosure.
During these attacks, hackers gather information about the compromised system, install backdoors, and deploy various types of malware. Commands such as "whoami" and "arp" are executed to collect system and user information and identify connected devices. Hackers also add new users to the administrators' group and terminate the HFS process to prevent other threat actors from exploiting the same vulnerability.
In several cases, the XMRig tool, used for mining Monero cryptocurrency, was installed. ASEC researchers attribute one of these attacks to the LemonDuck threat group. Other malware payloads deployed include:
1. XenoRAT: A tool for remote access and control, often used alongside XMRig.
2. Gh0stRAT: Used for remote control and data exfiltration.
3. PlugX: A backdoor associated with Chinese-speaking threat actors, providing persistent access.
4. GoThief: An information stealer that uses Amazon AWS for data exfiltration, capturing screenshots, collecting desktop file information, and sending data to an external command and control server.
AhnLab continues to detect attacks on HFS version 2.3m. Given that the server must be online for file sharing, it remains a lucrative target for hackers. Rejetto recommends users switch to version 0.52.x, which is the latest release despite its lower version number. This version is web-based, requires minimal configuration, and supports HTTPS, dynamic DNS, and administrative panel authentication.
The company has also provided indicators of compromise, including malware hashes, IP addresses of command and control servers, and download URLs for the malware used in these attacks. Users are urged to update their software to the latest version and follow cybersecurity best practices to protect their systems from such vulnerabilities.
By assimilating and addressing these vulnerabilities, users can better secure their systems against these sophisticated attacks.
