{ "name": "Attack Case against HFS (HTTP File Server) Server (Suspected CVE-2024-23692)", "slug": "attack-case-against-hfs-http-file-server-server-suspected-cve-2024-23692", "description": "A remote code execution vulnerability (CVE-2024-23692) in the HFS (HTTP File Server) program has allowed attackers to execute malicious commands on vulnerable systems. Various attack cases exploiting this vulnerability have been observed, leading to the installation of malware such as coin miners, RATs, backdoors, and information stealers. The attackers seem to be primarily Chinese-speaking threat actors.", "published": "2024-07-03T09:39:29+00:00", "created_at": "2024-07-03T09:39:29+00:00", "modified_at": "2024-07-03T09:54:25+00:00", "created_at_opencti": "2024-07-03T09:39:29+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2024-07-03", "CVE-2024-23692", "backdoor", "cobaltstrike", "destroyrat", "exploit", "gh0strat", "gothief", "korplug", "plugx", "rat", "vulnerability", "xenorat", "xmrig" ], "related_entities": { "observables": [ { "id": "", "name": "188.116.22.65" }, { "id": "", "name": "185.173.93.167" }, { "id": "", "name": "121.204.249.123" }, { "id": "", "name": "154.201.87.185" }, { "id": "", "name": "164.155.205.99" }, { "id": "", "name": "http://support.firewallsupportservers.com:80" }, { "id": "", "name": "http://188.116.22.65:5000/submit" }, { "id": "", "name": "http://185.173.93.167:13306/WindowsWatcher.key" }, { "id": "", "name": "http://185.173.93.167:13306/Roboform.dll" }, { "id": "", "name": "http://121.204.249.123:8077/systeminfo.exe" }, { "id": "", "name": "http://121.204.249.123/2345.exe" }, { "id": "", "name": "support.firewallsupportservers.com" }, { "id": "", "name": "0af21e5bdeaf84c33c172a1170987cca478c2b3e13a3de5653f724f36e278ee4" }, { "id": "", "name": "cbb265cfae15aa0f39bc67447aa82fc3ac40be6f9239a111e21e1532295eb4ed" } ], "malware": [ { "id": "legacy:malware:cd6fb37f64673eca", "name": "GoThief", "slug": "gothief" }, { "id": "936ec9c4-eac8-4c01-852e-9e2838eb9fdc", "name": "Gh0stRAT", "slug": "gh0strat" }, { "id": "9c08757d-bd59-45d1-8174-ac5b1ab454f2", "name": "XenoRAT", "slug": "xenorat" }, { "id": "legacy:malware:25f758cea1cec1c5", "name": "DestroyRAT", "slug": "destroyrat" }, { "id": "9e518ffc-0367-4828-aa11-41b852504b89", "name": "PlugX - S0013", "slug": "plugx-s0013" }, { "id": "352e6df6-6314-495d-8179-0282ddd47926", "name": "Korplug", "slug": "korplug" }, { "id": "legacy:malware:40339a286d3b7055", "name": "CobaltStrike", "slug": "cobaltstrike" }, { "id": "legacy:malware:83adebc6ef4eb478", "name": "XMRig", "slug": "xmrig" } ], "attack_patterns": [ { "id": "1576c870-7f31-4052-8cf5-94a7d76cff52", "name": "T1089" }, { "id": "f6ceeba2-b50c-47dc-8642-ab9842ca76d7", "name": "T1018" }, { "id": "19ce62bb-3faf-4d09-90b1-d82fce1ba8b0", "name": "T1136" }, { "id": "93b2c4dd-5523-4464-8976-78754ee372fd", "name": "T1012" }, { "id": "fc699aef-8931-4a79-8f79-9651be9abd50", "name": "T1021" }, { "id": "53b3b18c-d0d0-4bf6-bc6b-2c0ab9180deb", "name": "T1070" }, { "id": "60972cf6-e90b-4600-af3c-13c468391d9c", "name": "T1106" }, { "id": "70616b2f-4019-4963-b758-5d9f6f20e201", "name": "T1082" }, { "id": "c473a756-355a-42ad-a0df-cd3a8fa006d1", "name": "T1057" }, { "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571", "name": "T1105" }, { "id": "45082a8e-9c79-470e-ad1b-decac7188e8f", "name": "T1083" }, { "id": "67c697ce-a6cc-475f-9bee-e14c1bef7067", "name": "T1047" }, { "id": "33962583-7396-47ef-913d-1db78d6685c9", "name": "T1569" }, { "id": "14da8ebf-e0b0-4d4e-9c83-56277980f266", "name": "T1134" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "bb20a9e1-f4f6-459d-94f4-470c6867dc2d", "name": "T1053" }, { "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62", "name": "T1190" }, { "id": "6a495275-5433-4b64-90e5-18b9f07296da", "name": "T1072" }, { "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221", "name": "T1059" } ], "vulnerabilities": [ { "id": "", "name": "CVE-2024-23692" } ] }, "external_refs": [ "https://asec.ahnlab.com/ko/67509/", "https://otx.alienvault.com/pulse/6685387168b4cf13f282f2c3" ] }