FreakOut is a new botnet observed by specialists from CheckPoint. It targets Linux systems running vulnerable versions of the TerraMaster OS for network-attached storage servers, web apps and services using the Zend Framework, and the Liferay Portal CMS. The largest number of hits was discovered in the USA and, to a lesser extent, European countries such as Germany and The Netherlands. More information can be found below…
New FreakOut botnet targets Linux systems running unpatched software
CheckPoint researchers are warning that there is a novel malware variant which is targeting Linux devices, in order to add them to a botnet.
The FreakOut operator is mass-scanning the internet for vulnerable applications and then utilizing exploits for these vulnerabilities in order to gain control of the underlying Linux system. Its current targets include TerraMaster data storage units, web applications built on top of the Zend PHP Framework, and websites running the Liferay Portal content management system. All three vulnerabilities are fairly recent and there is a high chance that many systems will be still unpatched.
CVE-2020-28188 – RCE in TerraMaster management panel (disclosed on December 24, 2020)
CVE-2021-3007 – deserialization bug in the Zend Framework (disclosed on January 3, 2021)
CVE-2020-7961 – deserialization bug in the Liferay Portal (disclosed on March 20, 2020)
FreakOut botnet – it gains access and then what?
Once the FreakOut bot gains access to a system, it’s immediate step is to download and run a Python script that connects the infected devices to a remote IRC channel where the attacker can send commands and orchestrate a varied list of attacks using the enslaved devices. What will be the next step?
- Gathering info on the infected system;
- Creating and sending UDP and TCP packets;
- Executing Telnet brute-force attacks using a list of hardcoded credentials;
- Running a port scan;
- Executing an ARP poisoning attack on the device’s local network;
- Opening a reverse shell on the infected host;
- Killing local processes; and more.
Check Point argues that these functions can be combined to perform various operations, like launching DDoS attacks, installing cryptocurrency miners, turning infected bots into a proxy network, or launching attacks on the internal network of an infected device.
The newest stats shown in the IRC panel suggest the botnet is only controlling around 180 infected systems. These are low numbers for a botnet but more than enough to launch very capable DDoS attacks, ARP poisoning, hidden crypto-mining, launching brute-force attacks, or something worse.
DNSpooq bugs let attackers hijack DNS on millions of devices
DNSpooq is a collective name for seven Dnsmasq vulnerabilities that can be exploited to launch DNS cache poisoning, remote code execution, and denial-of-service attacks against millions of affected devices. It was discovered by Israeli security consultancy firm JSOF.
Dnsmasq is a popular and open-source Domain Name System (DNS) forwarding software regularly used that adds DNS caching and Dynamic Host Configuration Protocol (DHCP) server capabilities to Internet-of-Things (IoT) and various other embedded devices.
There is not yet known the full number of companies that use vulnerable versions but a list of customers include Android/Google, Comcast, Cisco, Redhat, Netgear, Qualcomm, Linksys, Netgear, IBM, D-Link, Dell, Huawei, and Ubiquiti.
Three of the DNSpooq vulnerabilities (tracked as CVE-2020-25686, CVE-2020-25684, CVE-2020-25685) allow for both DNS cache poisoning attacks (also known as DNS spoofing). It is an attack method that allows threat actors to replace legitimate DNS records on a device with ones of their choosing. Using this attack, threat actors can redirect users to malicious servers under their control, while to the visitors it appears as if they are visiting the legitimate site.
The rest of them are buffer overflow vulnerabilities tracked as CVE-2020-25687, CVE-2020-25683, CVE-2020-25682, and CVE-2020-25681 that could let attackers remotely execute arbitrary code on vulnerable networking equipment when Dnsmasq is configured to use DNSSEC.
Attacks exploiting the DNSpooq security bugs are quite easy to carry out and do not require any unusual techniques or tools. The attack can be completed successfully in seconds or a few minutes, and has no special requirements.
More than 1 million Dnsmasq servers are currently exposed on the Internet according to Shodan and over 630,000 according to BinaryEdge, with millions of other routers, VPNs, smartphones, tablets, infotainment systems, modems, access points, drones, and similar equipment not accessible over Internet also vulnerable to attacks.
To fully mitigate attacks attempting to exploit DNSpooq flaws, JSOF advises updating the Dnsmasq software to the latest version (2.83 or later).
Hackers accidentally exposed stolen credentials to the public internet
Hackers behind a massive phishing campaign forgot to protect their loot and as a result they allowed users to google the stolen data.
The phishing campaign has been running for more than half a year and uses dozens of domains that host the phishing pages. It receives regular updates to make the fraudulent Microsoft Office 365 login requests look more realistic. Despite its simplicity attackers collected at least 1,000 login credentials for corporate Office 365 accounts.
The attackers exfiltrated the information to domains they had registered specifically for the task. Their mistake was that they put the data in a publicly visible file that Google indexed. As a result, Google could show results for queries of a stolen email address or password.
Phishing – why is it so effective?
The attackers used several phishing email themes to lure potential victims into loading the landing page that collected their Microsoft Office 365 username and password. The malicious emails had the target’s first name or company title in the subject line and purported to deliver a Xerox scan notification in HTML format.
Opening the attachment loaded in the default web browser a blurred image overlaid by a fake Microsoft Office 365 login form. The username field is already populated with the victim’s email address, which typically removes suspicion of login theft.
A JavaScript code running in the background checks the validity of the credentials, sends them to the attacker’s drop-zone server, and redirects the victim to the legitimate Office 365 login page as a distraction.
Who got the biggest hit?
Processing information from about 500 entries, the researchers could determine that companies in the construction, energy, and IT sectors were the most prevalent targets of these phishing attacks.
Malwarebytes hacked by the same group who breached SolarWinds
Last week, US cyber-security firm Malwarebytes said it was hacked by the same group which breached IT software company SolarWinds last year – known as UNC2452 or Dark Halo. The attack was not related to the SolarWinds supply chain incident since the company doesn’t use any of its software.
Instead, the security firm said the hackers breached its internal systems by exploiting a dormant email protection product within its Office 365 tenant. Malwarebytes said the threat actor added a self-signed certificate with credentials to the principal service account, subsequently using it to make API calls to request emails via Microsoft Graph.
Malwarebytes said it learned of the intrusion from the Microsoft Security Response Center (MSRC) on December 15, which detected suspicious activity coming from the dormant Office 365 security app.
Marcin Kleczyński, Malwarebytes co-founder and CEO said the attacker only gained access to a limited subset of internal company emails. He said they also performed a very thorough audit of all its products and their source code, searching for any signs of a similar compromise or past supply chain attack.
Result? The internal systems showed no evidence of unauthorized access or compromise in any on-premises and production environments. Thus company software was not affected and remains safe to use.
Do you have thirst for knowledge? There are ten more cybersecurity stories below
1. Raindrop, a fourth malware employed in SolarWinds attacks (Security Affairs)
2. OpenWRT reports data breach after hacker gained access to forum admin account (ZDNet)
3. Logic bugs found in popular apps, including Signal and FB Messenger (Security Affairs)
4. Ongoing ‘FreakOut’ malware attack turns Linux devices into IRC botnet (HackRead)
5. Microsoft shares how SolarWinds hackers evaded detection (Bleeping Computer)
6. NVIDIA Gamers Face DoS, Data Loss from Shield TV Bugs (Threat Post)
7. VLC Media Player 3.0.12 fixes multiple remote code execution flaws (Bleeping Computer)
8. Cisco fixed multiple flaws in Cisco SD-WAN products and Smart Software Manager Satellite Web UI (Security Affairs)
9. Automated exploit of critical SAP SolMan vulnerability detected in the wild (ZDNet)
10. Windows RDP servers are being abused to amplify DDoS attacks (ZDNet)