Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/21/2021
06:40 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

DreamBus, FreakOut Botnets Pose New Threat to Linux Systems

Researchers from Zscaler and Check Point describe botnets as designed for DDoS attacks, cryptocurrency mining, and other malicious purposes.

Two dangerous new botnets have emerged in recent days targeting Linux-based systems worldwide.

One of them, dubbed "DreamBus," is malware with worm-like behavior that is capable of propagating itself both across the Internet and laterally through compromised internal networks using a variety of techniques.

Related Content:

APT Groups Set Sights on Linux Targets: Inside the Trend

Special Report: Understanding Your Cyber Attackers

New From The Edge: Hacker Pig Latin: A Base64 Primer for Security Analysts

Researchers at Zscaler who recently analyzed the threat described DreamBus as a modular piece of malware targeting Linux applications running on hardware systems with powerful CPUs and large amounts of memory.

The DreamBus botnet that has been assembled from systems the malware has compromised is currently being used to deploy the XMRig CPU miner to mine Monero cryptocurrency. But the same malware can be easily repurposed to deliver other more dangerous payloads, such as ransomware and malware, for stealing and holding data at ransom, says Brett Stone-Gross, director of threat intelligence at Zscaler.

"DreamBus can deploy arbitrary modules and execute arbitrary commands on a remote system," he says. "Given the prevalence of the software applications that are targeted and the aggressive worm-like spreading techniques, the number [of compromised systems is] likely in the tens of thousands."

In its advisory, Zscaler described DreamBus as having a variety of modules for self-propagation across the Interent and corprorate networks.

The malware can spread among systems that are not exposed to the Internet by scanning non-public RFC 1918 IP address space for vulnerable Linux systems. Among the many modules the malware uses for propagation are those that exploit implict trust and weak passwords and that enable unauthenticated remote code execution on applications such as Secure Shell (SSH), cloud-based apps and databases, and administration tools. Some of the malware's application-specific exploits include those targeting Apache Spark, SaltStack, Hadoop YARN, and HashiCorp Consul.

DreamBus' main component is a binary in Executable and Linkable Format (ELF) that can spread over SSH or is downloaded over HTTP. The botnet's command-and-control infrastructure is hosted on the TOR network and on anonymous file-sharing services that leverage the HTTP protocol, according to Zscaler. Available telemetry suggests the botnet operators are based in Russia or an East European country, Zscaler said.

"There is no single initial attack vector since each component is capable of compromising a system," Stone-Gross says. Most of the vulnerabilities that are exploited are either weak passwords or an application vulnerability where authentication is either not required — implicit trust — or can easily be bypassed such as SaltStack.

One key feature of DreamBus is that it can spread laterally in an internal network that is not publicly accessible, Stone-Gross says.  

"Systems behind a corporate firewall are often not as well protected because individuals may incorrectly assume that only other employees have access to the network," he says.

FreakOut Botnet
Meanwhile, Check Point earlier this week said it had observed a botnet, which it dubbed "FreakOut," targeting systems running vulnerable versions of the TerraMaster operating system for network attached storage servers, web apps and services using the Zend Framework, and the Liferay Portal CMS.

The malware is designed to exploit a newly disclosed vulnerablity in each of the three technologies: a command injection flaw in TerraMaster TOS (CVE-2020-28188), an insecure deserialization bug in Liferay Portal (CVE-2020-7961), and a remote code execution flaw in the Zend Framework (CVE-2021-3007).

Machines that the malware has compromised have been assembled into a botnet that is being used in distributed denial-of-service (DDoS_ attacks and for cryptomining purposes, Check Point said.

Adi Ikan, a security researcher at Check Point, says the company has direct evidence of more than 185 infected servers that are currently part of the FreakOut botnet. Check Point researchers have also observed hundreds of other additional attack attempts, most of which have been in the US and, to a lesser extent, European countries such as Germany and The Netherlands.

"Based on our sensors, there are more than 9,000 servers that are vulnerable to those vulnerabilities and are also exposed to the Internet," Ikan says. The fact that the attacker is targeting very new vulnerabilities in each of three Linux technologies is significant because it highlights the importance of addressing security issues quickly.

"The malware associated with this campaign is well-equipped with its capabilities [and is designed] to conduct various malicious activities," Ikan says.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: "Elon, I think our cover's been blown."
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31597
PUBLISHED: 2021-04-23
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
CVE-2021-2296
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2297
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2298
PUBLISHED: 2021-04-22
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attac...
CVE-2021-2299
PUBLISHED: 2021-04-22
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful atta...