Attacks targeting Openfire vulnerability underway

BleepingComputer reports that vulnerable Openfire messaging servers impacted by the already addressed high-severity authentication bypass flaw, tracked as CVE-2023-32315, are being subjected to ongoing attacks aimed at ransomware encryption and cryptominer distribution. New Openfire admin accounts created through the exploitation of the vulnerability have been leveraged by threat actors to facilitate the installation of malicious JAR plugins with arbitrary code execution capabilities before proceeding with the deployment of various payloads, including the Kinsing cryptomining trojan and a C-based UPX-packed backdoor, a Dr. Web report revealed. Attackers have also used a malicious Openfire plugin to enable compromised server data exfiltration. Numerous Openfire servers were also reported to have been encrypted with ransomware, with a customer noting that the .locked1 extension has been appended to encrypted files. Threat actors behind the .locked1 ransomware attacks, which began compromising Openfire servers in June, have been known to target other vulnerable web servers, as well as demand .09 to .12 bitcoins in exchange for decryption.