Malicious actors are targeting HTTP File Servers (HFS) from Rejetto by leveraging vulnerabilities to deploy malware and cryptocurrency mining software. Specifically, threat actors are exploiting CVE-2024-23692, a critical security flaw that allows remote execution of arbitrary commands without authentication. HTTP File Server (HFS) is a lightweight web server software widely used for file sharing. Its simplicity in setup and operation makes it popular, allowing users to share files over the internet with ease.

Exploitation of CVE-2024-23692 Vulnerability

[caption id="attachment_80520" align="alignnone" width="798"] HFS used for sharing files (Source: AhnLab)[/caption] The CVE-2024-23692 vulnerability affects HFS versions up to 2.3m, enabling attackers to send malicious commands remotely to compromise the server. This flaw has been actively exploited by threat actors since its discovery, prompting warnings from Rejetto urging users to avoid versions 2.3m through 2.4 due to their susceptibility to malicious control. AhnLab's Security Intelligence Center (ASEC) has monitored numerous instances where attackers exploit CVE-2024-23692 vulnerability to infiltrate HFS servers. Once compromised, threat actors typically execute commands to gather system information, establish backdoor accounts, and conceal their presence by terminating the HFS process after completing their malicious activities. “Because HFS is exposed to the public in order to enable users to connect to the HFS web server and download files, it can be a target for external attacks if it has a vulnerability. In May 2024, a remote code execution vulnerability (CVE-2024-23692) in HFS was announced. Using this, the threat actor can send packets containing commands to HFS and have it execute malicious commands. Although not the latest version, the vulnerability affects “HFS 2.3m” which is used by many users.”, says AhnLab. 

CoinMiner Deployments and Diverse Malware Strains

Among the malicious payloads observed, XMRig stands out as a favored tool for mining Monero cryptocurrency. This CoinMiner, deployed by threat groups like LemonDuck, highlights the financial motives driving these attacks. In addition to CoinMiners, attackers have introduced a variety of Remote Access Trojans (RATs) and backdoor malware. Examples include XenoRAT, Gh0stRAT, and PlugX, each serving different espionage and control purposes, often associated with Chinese-speaking threat actors. Notably, GoThief has emerged as a sophisticated threat leveraging Amazon AWS services to exfiltrate sensitive information from infected systems. Developed in the Go language, GoThief captures screenshots and uploads them along with system data to a command-and-control server. The prevalence of CVE-2024-23692 exploitation highlights the critical need for HFS users to update to secure versions promptly. As threats actors and their attacking methods sharpen with time, maintaining software integrity through timely updates and vigilant monitoring remains extremely important to mitigating risks associated with vulnerable software.