July 4, 2024 at 08:33AM
Hackers are targeting older versions of Rejetto’s HTTP File Server (HFS) with malware and cryptocurrency mining. They exploit CVE-2024-23692 to execute commands without authentication. Vulnerable versions include up to 2.3m, categorized as “dangerous” by Rejetto. Attackers gather system information, install backdoors, and deploy various malware, including XMRig for cryptocurrency mining. AhnLab recommends the latest variant, 0.52.x.
The meeting notes indicate that older versions of the HTTP File Server (HFS) from Rejetto are being targeted by hackers to drop malware and cryptocurrency mining software. The attackers are exploiting CVE-2024-23692, a critical-severity security issue that allows executing arbitrary commands without authentication.
The vulnerability impacts versions of the software up to and including 2.3m, and the researchers at AhnLab believe that attackers are specifically targeting this version. They observed attacks where hackers collect information about the system, install backdoors, and execute various types of malware.
Additionally, the compromised computers were found to have been installed with various malicious payloads, including XMRig for cryptocurrency mining, XenoRAT for remote access and control, Gh0stRAT for remote control and data exfiltration, PlugX as a persistent access backdoor, and GoThief as an information stealer.
The researchers recommend using version 0.52.x of the product, which provides enhanced security features such as support for HTTPS, dynamic DNS, and authentication for the administrative panel.
AhnLab provides a set of indicators of compromise, which include hashes for the malware, IP addresses for attacker command and control servers, and download URLs for the malware used in the attacks.
The meeting notes also mention related articles on cybersecurity threats, including Microsoft fixing Windows zero-day exploited in QakBot malware attacks, infostealer malware utilized to identify child abuse website members, Cisco warning of NX-OS zero-day exploited to deploy custom malware, hackers exploiting critical D-Link DIR-859 router flaw to steal passwords, and the new Unfurling Hemlock threat actor flooding systems with malware.