Threat Actors Exploiting Vulnerabilities in HFS Servers: Malware and Cryptocurrency Mining on the Rise

Malicious actors are taking advantage of vulnerabilities in HTTP File Servers (HFS) from Rejetto to deploy malware and cryptocurrency mining software, posing a significant threat to users. The exploitation of the CVE-2024-23692 vulnerability, which allows remote execution of arbitrary commands without authentication, has been a major concern for security experts.

HFS is a popular web server software used for file sharing due to its simplicity and ease of use. However, the CVE-2024-23692 vulnerability affects versions up to 2.3m, making them susceptible to remote attacks. Threat actors have been actively exploiting this flaw to compromise servers and carry out malicious activities.

AhnLab’s Security Intelligence Center has observed numerous instances of attackers infiltrating HFS servers through the CVE-2024-23692 vulnerability. Once compromised, threat actors can gather system information, establish backdoor accounts, and conceal their presence by terminating the HFS process.

In addition to deploying CoinMiners like XMRig to mine Monero cryptocurrency, attackers have introduced various Remote Access Trojans (RATs) and backdoor malware, such as XenoRAT, Gh0stRAT, and PlugX. These malware strains serve different espionage and control purposes, often linked to Chinese-speaking threat actors.

One particularly sophisticated threat, GoThief, utilizes Amazon AWS services to exfiltrate sensitive information from infected systems. As the prevalence of CVE-2024-23692 exploitation continues to rise, HFS users are urged to update to secure versions promptly to mitigate risks associated with vulnerable software. Maintaining software integrity through timely updates and vigilant monitoring is crucial in safeguarding against evolving cyber threats.