Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/21/2021
06:40 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

DreamBus, FreakOut Botnets Pose New Threat to Linux Systems

Researchers from Zscaler and Check Point describe botnets as designed for DDoS attacks, cryptocurrency mining, and other malicious purposes.

Two dangerous new botnets have emerged in recent days targeting Linux-based systems worldwide.

One of them, dubbed "DreamBus," is malware with worm-like behavior that is capable of propagating itself both across the Internet and laterally through compromised internal networks using a variety of techniques.

Related Content:

APT Groups Set Sights on Linux Targets: Inside the Trend

Special Report: Understanding Your Cyber Attackers

New From The Edge: Hacker Pig Latin: A Base64 Primer for Security Analysts

Researchers at Zscaler who recently analyzed the threat described DreamBus as a modular piece of malware targeting Linux applications running on hardware systems with powerful CPUs and large amounts of memory.

The DreamBus botnet that has been assembled from systems the malware has compromised is currently being used to deploy the XMRig CPU miner to mine Monero cryptocurrency. But the same malware can be easily repurposed to deliver other more dangerous payloads, such as ransomware and malware, for stealing and holding data at ransom, says Brett Stone-Gross, director of threat intelligence at Zscaler.

"DreamBus can deploy arbitrary modules and execute arbitrary commands on a remote system," he says. "Given the prevalence of the software applications that are targeted and the aggressive worm-like spreading techniques, the number [of compromised systems is] likely in the tens of thousands."

In its advisory, Zscaler described DreamBus as having a variety of modules for self-propagation across the Interent and corprorate networks.

The malware can spread among systems that are not exposed to the Internet by scanning non-public RFC 1918 IP address space for vulnerable Linux systems. Among the many modules the malware uses for propagation are those that exploit implict trust and weak passwords and that enable unauthenticated remote code execution on applications such as Secure Shell (SSH), cloud-based apps and databases, and administration tools. Some of the malware's application-specific exploits include those targeting Apache Spark, SaltStack, Hadoop YARN, and HashiCorp Consul.

DreamBus' main component is a binary in Executable and Linkable Format (ELF) that can spread over SSH or is downloaded over HTTP. The botnet's command-and-control infrastructure is hosted on the TOR network and on anonymous file-sharing services that leverage the HTTP protocol, according to Zscaler. Available telemetry suggests the botnet operators are based in Russia or an East European country, Zscaler said.

"There is no single initial attack vector since each component is capable of compromising a system," Stone-Gross says. Most of the vulnerabilities that are exploited are either weak passwords or an application vulnerability where authentication is either not required — implicit trust — or can easily be bypassed such as SaltStack.

One key feature of DreamBus is that it can spread laterally in an internal network that is not publicly accessible, Stone-Gross says.  

"Systems behind a corporate firewall are often not as well protected because individuals may incorrectly assume that only other employees have access to the network," he says.

FreakOut Botnet
Meanwhile, Check Point earlier this week said it had observed a botnet, which it dubbed "FreakOut," targeting systems running vulnerable versions of the TerraMaster operating system for network attached storage servers, web apps and services using the Zend Framework, and the Liferay Portal CMS.

The malware is designed to exploit a newly disclosed vulnerablity in each of the three technologies: a command injection flaw in TerraMaster TOS (CVE-2020-28188), an insecure deserialization bug in Liferay Portal (CVE-2020-7961), and a remote code execution flaw in the Zend Framework (CVE-2021-3007).

Machines that the malware has compromised have been assembled into a botnet that is being used in distributed denial-of-service (DDoS_ attacks and for cryptomining purposes, Check Point said.

Adi Ikan, a security researcher at Check Point, says the company has direct evidence of more than 185 infected servers that are currently part of the FreakOut botnet. Check Point researchers have also observed hundreds of other additional attack attempts, most of which have been in the US and, to a lesser extent, European countries such as Germany and The Netherlands.

"Based on our sensors, there are more than 9,000 servers that are vulnerable to those vulnerabilities and are also exposed to the Internet," Ikan says. The fact that the attacker is targeting very new vulnerabilities in each of three Linux technologies is significant because it highlights the importance of addressing security issues quickly.

"The malware associated with this campaign is well-equipped with its capabilities [and is designed] to conduct various malicious activities," Ikan says.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-20491
PUBLISHED: 2021-04-16
IBM Spectrum Protect Server 7.1 and 8.1 is subject to a stack-based buffer overflow caused by improper bounds checking during the parsing of commands. By issuing such a command with an improper parameter, an authorized administrator could overflow a buffer and cause the server to crash. IBM X-Force ...
CVE-2021-22539
PUBLISHED: 2021-04-16
An attacker can place a crafted JSON config file into the project folder pointing to a custom executable. VScode-bazel allows the workspace path to lint *.bzl files to be set via this config file. As such the attacker is able to execute any executable on the system through vscode-bazel. We recommend...
CVE-2021-31414
PUBLISHED: 2021-04-16
The unofficial vscode-rpm-spec extension before 0.3.2 for Visual Studio Code allows remote code execution via a crafted workspace configuration.
CVE-2021-26073
PUBLISHED: 2021-04-16
Broken Authentication in Atlassian Connect Express (ACE) from version 3.0.2 before version 6.6.0: Atlassian Connect Express is a Node.js package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Express app occurs with a server-to-server JWT or ...
CVE-2021-26074
PUBLISHED: 2021-04-16
Broken Authentication in Atlassian Connect Spring Boot (ACSB) from version 1.1.0 before version 2.1.3: Atlassian Connect Spring Boot is a Java Spring Boot package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Spring Boot app occurs with a se...