Researchers are warning that, in order to add endpoints to a botnet to then be utilized in distributed-denial-of-service(DDoS) attacks and cryptomining, a novel malware variant is targeting Linux devices.
The malware variant has a variety of capabilities, called FreakOut. Those include port scanning, information gathering and data packet and network sniffing. It has the ability to launch DDoS and network flooding attacks, as well as cryptomining activity. Along with that it is actively adding infected Linux devices to botnet.
Researchers with Check Point Research in a Tuesday Analysis said, “If successfully exploited, each device infected with this malware can be used as a remote-controlled attack platform. The threat actors behind the attacks can use them to target other vulnerable devices to expand their network of infected machines.
Using Critical Flaws
Linux devices with specific products that have not been patched against various flaws, are targeted firstly by FreakOut.
These include a critical remote command execution in flaw (CVE-2020-28188) in TerraMaster TOS which is a popular data storage device vendor. A patch will become available in 4.2.07 and versions prior to 4.2.06 are affected.
Researchers said, “The maintainer no longer supports the Zend framework, and the lamins-http vendor released a relevant patch for this vulnerability.
Attackers finally target a critical deserialization of untrusted data issue (CVE-2020-7961) in Liferay Portal. Liferay Portal is a free, open-source enterprise portal, with features for developing web portals and websites. Versions prior to 7.2.1 CE GA2 are affected and an update in Liferay Portal 7.2 CE GA2 (7.2.1) is available.
Researchers said, “for all impacted products in these CVEs, patches are available and to close off these vulnerabilities, users of these are advised to urgently check any of these devices they are using and to update and patch them.”
Surface of Attack
After using one of these critical flaws, attackers then upload a complicated Python Script called out.py, downloaded from the site https://gxbrowser[.]net.
Researchers said, “after downloading the script and given permissions, the attacker tries to run it using Python 2”. “Last year, Python 2 reached EOL (end-of-life), meaning the attacker assumes the victim’s device has this deprecated product installed.”
To infect other network devices, this script has varying capabilities, including a port scanning feature, the ability to collect system fingerprints, creating and sending packets and brute-force abilities using hard-coded credentials.
After a deep dive of the attackers, main command and control server, they found an estimated 185 devices have been hacked thus far.
Researchers observed 380 attack attempts against customers, in between Jan. 8 and Jan. 13. The most targeted industries were finance, government and healthcare organizations and most of these attempts were in North America and Western Europe.
According to researchers, to protect against FreakOut, Linux users should utilize TerraMaster TOS, Zend Framework or Liferay Portala and make sure they have deployed all patches.
They also said, in order to prevent the exploitation of such vulnerabilities by FreakOut, we strongly recommend users check and patch their servers and Linux devices.