Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/21/2021
06:40 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

DreamBus, FreakOut Botnets Pose New Threat to Linux Systems

Researchers from Zscaler and Check Point describe botnets as designed for DDoS attacks, cryptocurrency mining, and other malicious purposes.

Two dangerous new botnets have emerged in recent days targeting Linux-based systems worldwide.

One of them, dubbed "DreamBus," is malware with worm-like behavior that is capable of propagating itself both across the Internet and laterally through compromised internal networks using a variety of techniques.

Related Content:

APT Groups Set Sights on Linux Targets: Inside the Trend

Special Report: Understanding Your Cyber Attackers

New From The Edge: Hacker Pig Latin: A Base64 Primer for Security Analysts

Researchers at Zscaler who recently analyzed the threat described DreamBus as a modular piece of malware targeting Linux applications running on hardware systems with powerful CPUs and large amounts of memory.

The DreamBus botnet that has been assembled from systems the malware has compromised is currently being used to deploy the XMRig CPU miner to mine Monero cryptocurrency. But the same malware can be easily repurposed to deliver other more dangerous payloads, such as ransomware and malware, for stealing and holding data at ransom, says Brett Stone-Gross, director of threat intelligence at Zscaler.

"DreamBus can deploy arbitrary modules and execute arbitrary commands on a remote system," he says. "Given the prevalence of the software applications that are targeted and the aggressive worm-like spreading techniques, the number [of compromised systems is] likely in the tens of thousands."

In its advisory, Zscaler described DreamBus as having a variety of modules for self-propagation across the Interent and corprorate networks.

The malware can spread among systems that are not exposed to the Internet by scanning non-public RFC 1918 IP address space for vulnerable Linux systems. Among the many modules the malware uses for propagation are those that exploit implict trust and weak passwords and that enable unauthenticated remote code execution on applications such as Secure Shell (SSH), cloud-based apps and databases, and administration tools. Some of the malware's application-specific exploits include those targeting Apache Spark, SaltStack, Hadoop YARN, and HashiCorp Consul.

DreamBus' main component is a binary in Executable and Linkable Format (ELF) that can spread over SSH or is downloaded over HTTP. The botnet's command-and-control infrastructure is hosted on the TOR network and on anonymous file-sharing services that leverage the HTTP protocol, according to Zscaler. Available telemetry suggests the botnet operators are based in Russia or an East European country, Zscaler said.

"There is no single initial attack vector since each component is capable of compromising a system," Stone-Gross says. Most of the vulnerabilities that are exploited are either weak passwords or an application vulnerability where authentication is either not required — implicit trust — or can easily be bypassed such as SaltStack.

One key feature of DreamBus is that it can spread laterally in an internal network that is not publicly accessible, Stone-Gross says.  

"Systems behind a corporate firewall are often not as well protected because individuals may incorrectly assume that only other employees have access to the network," he says.

FreakOut Botnet
Meanwhile, Check Point earlier this week said it had observed a botnet, which it dubbed "FreakOut," targeting systems running vulnerable versions of the TerraMaster operating system for network attached storage servers, web apps and services using the Zend Framework, and the Liferay Portal CMS.

The malware is designed to exploit a newly disclosed vulnerablity in each of the three technologies: a command injection flaw in TerraMaster TOS (CVE-2020-28188), an insecure deserialization bug in Liferay Portal (CVE-2020-7961), and a remote code execution flaw in the Zend Framework (CVE-2021-3007).

Machines that the malware has compromised have been assembled into a botnet that is being used in distributed denial-of-service (DDoS_ attacks and for cryptomining purposes, Check Point said.

Adi Ikan, a security researcher at Check Point, says the company has direct evidence of more than 185 infected servers that are currently part of the FreakOut botnet. Check Point researchers have also observed hundreds of other additional attack attempts, most of which have been in the US and, to a lesser extent, European countries such as Germany and The Netherlands.

"Based on our sensors, there are more than 9,000 servers that are vulnerable to those vulnerabilities and are also exposed to the Internet," Ikan says. The fact that the attacker is targeting very new vulnerabilities in each of three Linux technologies is significant because it highlights the importance of addressing security issues quickly.

"The malware associated with this campaign is well-equipped with its capabilities [and is designed] to conduct various malicious activities," Ikan says.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-12527
PUBLISHED: 2021-03-02
An issue was discovered in MB connect line mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2. Improper use of access validation allows a logged in user to interact with devices in the account he should not have access to.
CVE-2020-12528
PUBLISHED: 2021-03-02
An issue was discovered in MB connect line mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2. Improper use of access validation allows a logged in user to kill web2go sessions in the account he should not have access to.
CVE-2020-12529
PUBLISHED: 2021-03-02
An issue was discovered in MB connect line mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2 There is a SSRF in the LDAP access check, allowing an attacker to scan for open ports.
CVE-2020-12530
PUBLISHED: 2021-03-02
An issue was discovered in MB connect line mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2. There is an XSS issue in the redirect.php allowing an attacker to inject code via a get parameter.
CVE-2021-21255
PUBLISHED: 2021-03-02
GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI version 9.5.3, it was possible to switch entities with IDOR from a logged in user. This is fixed in version 9.5.4.