Skip to content

HFS servers hijacked to drop malware and crypto miners

  • by
  • 3 min read

Older versions of HTTP File Server (HFS) from Rejetto are now being targeted to drop malware and install crypto miners on unsuspecting users. Security researchers believe that attackers exploit CVE-2024-23692, a critical vulnerability in Rejetto that allows an unauthenticated user to run arbitrary commands on the server.

The vulnerability was discovered by security researcher Arseniy Sharoglazov in August 2023 and disclosed publicly in a technical paper published in May 2024. It affects Rejetto version 2.3m and lower and Rejetto itself has issued a warning on its website advising users not to use versions 2.3m and 2.4 as they’re “dangerous and should not be used anymore” because of the bug. If exploited, attackers can control the affected computer remotely, but there’s no fix to the problem yet.

XenoRAT and scanner malware were installed on affected systems by LemonDuck. | Source ASEC

As for the bug itself, CVE-2024-23692 is a template injection vulnerability that allows an unauthenticated, remote attacker to send a maliciously crafted HTTP request that can then run arbitrary commands on the target system. Proof of concepts and even a Metasploit module exploiting the vulnerability soon became available following the disclosure in May 2024, and researchers from ASEC report that attacks in the wild also started around this time.

After initial exploitation, threat actors run commands like “whoami” or “arp” to collect system information and then add backdoor accounts to connect later via RDP and conceal them. In many use cases, HFS was terminated after this process was complete to avoid exploitation by other threat actors. As for the threat actors themselves, researchers have assumed that most attacks are done by Chinese-speaking threat actors, considering examinations of the malware strains and commands.

A malware strain sending data back to a C2 server following exploitation. | Source: ASEC

Some threat actors also install XMRig, a Monero crypto miner, on the affected systems. Researchers discovered at least four threat actors exploiting the vulnerability and installing XMRig, including the infamous LemonDuck hacking group. Many remote access tools (RATs), vulnerability scanners, and backdoor-type malware strains are also being detected on affected systems. These include Gh0stRAT, PlugX, Cobalt Strike, GoTheif and Netcat. These malware strains can take screenshots, collect file information and IP addresses and send them back to a Command-and-Control server.

In the News: Twilio Authy breach leaks data of 33 million users

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>