Today > vulnerabilities   -   You can now download lists of IOCs here!

Attack Case against HFS (HTTP File Server) Server (Suspected CVE-2024-23692)

July 3, 2024, 11:54 a.m.

Tags
backdoor
exploit
rat
xmrig
vulnerability
plugx
gh0strat
CVE-2024-23692
cobaltstrike
korplug
destroyrat
xenorat
2024-07-03
gothief
External References
Description

A remote code execution vulnerability (CVE-2024-23692) in the HFS (HTTP File Server) program has allowed attackers to execute malicious commands on vulnerable systems. Various attack cases exploiting this vulnerability have been observed, leading to the installation of malware such as coin miners, RATs, backdoors, and information stealers. The attackers seem to be primarily Chinese-speaking threat actors.

Date

Published: July 3, 2024, 11:39 a.m.

Created: July 3, 2024, 11:39 a.m.

Modified: July 3, 2024, 11:54 a.m.

Indicators

0af21e5bdeaf84c33c172a1170987cca478c2b3e13a3de5653f724f36e278ee4

cbb265cfae15aa0f39bc67447aa82fc3ac40be6f9239a111e21e1532295eb4ed

188.116.22.65

185.173.93.167

121.204.249.123

154.201.87.185

164.155.205.99

http://support.firewallsupportservers.com:80

http://188.116.22.65:5000/submit

http://185.173.93.167:13306/WindowsWatcher.key

http://185.173.93.167:13306/Roboform.dll

http://121.204.249.123:8077/systeminfo.exe

http://121.204.249.123/2345.exe

support.firewallsupportservers.com

Download all indicators here!

Attack Patterns

GoThief

Gh0stRAT

XenoRAT

DestroyRAT

PlugX - S0013

Korplug

CobaltStrike

XMRig

T1089

T1018

T1136

T1012

T1021

T1070

T1106

T1082

T1057

T1105

T1083

T1047

T1569

T1134

T1027

T1053

T1190

T1072

T1059

CVE-2024-23692