Recent security vulnerabilities affecting Juniper firewalls, Openfire, and Apache RocketMQ servers have become targets of active exploitation. According to multiple security reports, the Shadowserver Foundation has noted exploitation attempts linked to Juniper’s J-Web CVE-2023-36844, coinciding with the release of a proof-of-concept (PoC) on the same day.
The vulnerabilities, cataloged as CVE-2023-36844 through CVE-2023-36847, are found in the J-Web component of Junos OS on Juniper’s SRX and EX Series products. They allow unauthenticated network-based attackers to execute arbitrary code on affected installations, creating a significant risk to systems worldwide. Patches for these vulnerabilities were issued on August 17, 2023, soon followed by the release of a PoC that combined specific vulnerabilities to execute malicious PHP code.
Currently, more than 8,200 Juniper devices have their J-Web interfaces internet-exposed, with the majority located in countries such as South Korea, the United States, Hong Kong, Indonesia, Turkey, and India, presenting a substantial attack surface.
Kinsing Exploits Openfire Vulnerability
Another major threat involves the exploitation of CVE-2023-32315, a critical path traversal vulnerability in Openfire’s administrative console. This flaw enables unauthorized users to manipulate unprotected setup environments, allowing them to access admin setup files not typically available. The cloud security firm Aqua has identified that threat actors can escalate their privileges, either by creating new admin users or uploading malicious plugins, thereby gaining extensive control over servers.
Reports indicate that the Kinsing malware botnet has specifically utilized this vulnerability to establish a new admin user and upload a malicious JAR file containing a web shell, which subsequently facilitates the drop and execution of cryptocurrency mining malware. Aqua estimates that around 6,419 servers with the Openfire service are connected to the internet, primarily in China, the U.S., and Brazil.
Apache RocketMQ Compromised by DreamBus Botnet
In another development, the DreamBus botnet is leveraging a serious remote code execution vulnerability in Apache RocketMQ servers, specifically affecting versions up to 5.1.0. This vulnerability, designated as CVE-2023-33246, allows unauthenticated attackers to execute commands with the same permissions as the system user. Exploits of this nature were first detected by Juniper Threat Labs starting June 19, 2023, when successful attacks allowed the deployment of a malicious bash script for further payload delivery.
DreamBus, a Linux-based malware variant, has historical links to cryptocurrency mining, and its operators are known for exploiting remote code execution vulnerabilities as primary attack vectors. Security analyst Paul Kimayong highlighted that the malware not only deploys additional threats but also seeks to maintain persistence through scheduled tasks.
Exploitation of Cisco ASA SSL VPNs and Ransomware Deployment
Amid these incidents, Rapid7 has reported rising threat activity linked to Cisco ASA SSL VPN appliances, particularly in relation to Akira and LockBit ransomware deployments since March 2023. Evidence suggests that attackers are exploiting weak authentication mechanisms, often through credential stuffing methods, with targeted brute-force attacks identified where multi-factor authentication (MFA) is inadequately implemented.
Cisco has acknowledged the ongoing attacks and the potential use of compromised credentials purchased on dark web markets. This assumption is validated by an initial access broker known as Bassterlord, who claimed to have compromised numerous Cisco SSL VPN services with default credentials. Rapid7 warns that these exploits may signify a troubling trend in growing brute force attacks targeting Cisco ASA VPNs.
As the cybersecurity landscape evolves, vulnerabilities in unpatched systems continue to pose significant risks, highlighted by recent attacks utilizing exploits in Citrix NetScaler ADC and Gateway appliances. These circumstances elevate the urgency for businesses to reassess their cybersecurity strategies and ensure robust defenses against emerging threats.
