Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/25/2020
09:40 AM
50%
50%

Lucifer Malware Aims to Become Broad Platform for Attacks

The recent spread of the distributed denial-of-service tool attempts to exploit a dozen web-framework flaws, uses credential stuffing, and is intended to work against a variety of operating systems.

A cybercriminal operation aiming to spread among web-application servers has had moderate success, using compromised systems for Monero cryptomining, to create a botnet for denial-of-service attacks and to further spread into enterprise networks, researchers with Palo Alto Networks said on Wednesday.

The developers of the attack tool appear to be aiming to create a general-purpose platform for a wide variety of attacks, from distributed denial-of-service (DDoS) attacks to cryptomining to the creation of botnets, the company warned. Called Satan DDoS by the developers, the tool will likely not only target Windows computers and Linux servers but Internet of Things devices and systems that run on the ARM and MIPS processors, according to messages found in the code.

So far, the malware has had some success, especially in the Asia-Pacific region, says Ken Hsu, senior security researcher at Unit 42 for Palo Alto Networks.

"Because it's able to monetize its attacks, as well as establish a command-and-control operation, it appeals to a wide variety of attackers," he says. "The number of alerts we observed suggests that companies should step up their security measures, not just via patching software but also by strengthening security policy and compliance, [such as] password strengthening."

The spread of the DDoS and cryptojacking malware highlights that cybercriminals do not have to use the most recent exploits to successfully compromise servers on the Internet. The Palo Alto researchers initially discovered the malware after it repeatedly compromised web applications using an exploit for a 16-month-old vulnerability (CVE-2019-9081) in the Laravel PHP framework. 

Among the vulnerabilities exploited by the software are a single vulnerability reported in 2020 and another from 2019, but mainly older issues — three vulnerabilities from 2018, five from 2017, and a single flaw from 2014. The exploits target the Rejetto HTTP File Server, Jenkins, Oracle Weblogic, Drupal, Apache Struts, Laravel framework, and Microsoft Windows. All issues are considered high or critical severity, Palo Alto researchers stated in the advisory. The malware also uses credential stuffing on remote-access and Microsoft SQL ports, using a short list of usernames and passwords.

Once on a server, the software loads and runs several well-known exploits taken from the trove of cyberattack tools leaked from the National Security Agency, including EternalBlue, EternalRomance, and the DoublePulsar backdoor. While the vulnerabilities are old, the software has successfully spread in the wild, the report said. 

"While the vulnerabilities abused and attack tactics leveraged by this malware are nothing original, they once again deliver a message to all organizations, reminding them why it's utterly important to keep systems up-to-date whenever possible, eliminate weak credentials, and have a layer of defenses for assurance," the researchers stated in the advisory.

The researchers discovered two versions of the malware: one that started spreading on May 29, and the other that became active on June 11. The developer of the malware refers to it as Satan DDoS, but due to other malware families using a similar name, the Palo Alto researchers decided to brand the malware "Lucifer."

The second version of the software continues its focus on cryptomining, attempting to install a component called XMRig for mining. In addition, the developer added rudimentary anti-sandbox functionality to stymy reverse engineers from analyzing the code. The newer software adds functions for infecting through four other protocols — the File Transfer Protocol (FTP), for example — and checks to see if the default language is Chinese.

The malware has not been particularly successful at mining Monero, amassing only 0.49 XMR, about US$32. However, cryptomining has become a big focus of cybercriminals looking for an easy way to monetize compromised systems. In October, for example, some 2,000 Docker hosts were infected by a relatively basic worm that exploited misconfigurations to download and run cryptojacking software as a container. The program, dubbed Graboid by the attackers, looks for unprotected Docker daemons and then sends commands to install malicious images from Docker Hub.

Far more pernicious is the malware's ability to use a variety of methods — such as Windows exploits and dictionary attacks — to move laterally inside of a network, Hsu says. Many of these are old, but malware authors don't need to use the latest exploits, because they know the old ones should suffice, he says.

"Lucifer is capable of self-propagation and credential brute-forcing, so attackers can have a tremendous impact on their victims once they gain a foothold," Hsu says.

Companies should keep systems up to date, implement strong password policies, and have threat intelligence to adapt to the latest attacks, Hsu says. For the most part, holes in firms' cybersecurity coverage continue to provide opportunity for attackers, even using older exploits.

"Not all companies have strong cybersecurity awareness," he says. "Doing cybersecurity properly requires non-trivial resource allocation, and cybersecurity isn't always their No. 1 priority for companies."

Related Content

 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event. 
 
Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13295
PUBLISHED: 2020-08-10
For GitLab Runner before 13.0.12, 13.1.6, 13.2.3, by replacing dockerd with a malicious server, the Shared Runner is susceptible to SSRF.
CVE-2020-6070
PUBLISHED: 2020-08-10
An exploitable code execution vulnerability exists in the file system checking functionality of fsck.f2fs 1.12.0. A specially crafted f2fs file can cause a logic flaw and out-of-bounds heap operations, resulting in code execution. An attacker can provide a malicious file to trigger this vulnerabilit...
CVE-2020-6145
PUBLISHED: 2020-08-10
An SQL injection vulnerability exists in the frappe.desk.reportview.get functionality of ERPNext 11.1.38. A specially crafted HTTP request can cause an SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.
CVE-2020-8224
PUBLISHED: 2020-08-10
A code injection in Nextcloud Desktop Client 2.6.4 allowed to load arbitrary code when placing a malicious OpenSSL config into a fixed directory.
CVE-2020-8229
PUBLISHED: 2020-08-10
A memory leak in the OCUtil.dll library used by Nextcloud Desktop Client 2.6.4 can lead to a DoS against the host system.