fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

FreakOut Malware Exploits Critical Bugs To Infect Linux Hosts

FreakOut Malware Exploits Critical Bugs To Infect Linux Hosts

An active malicious campaign is currently targeting Linux devices running software with critical vulnerabilities that is powering network-attached storage (NAS) devices or for developing web applications and portals.

The purpose is to infect machines with vulnerable versions of the popular TerraMaster operating system, the Zend Framework (Laminas Project), or Liferay Portal with FreakOut malware, which can help deploy a wide variety of cyberattacks.

Hitting unpatched Linux systems

The common ground for all three software solutions targeted in the ongoing FreakOut campaign is that they all have a large user base and have fixed critical issues recently. However, proof of concept exploit code exists for all of them and is easy to find.

Also Read: Key PDPA Amendments 2019/2020 You Should Know

Zend Framework is a collection of professional PHP packages that touts over 570 million installations. Version 3.0.0, though, is has a critical bug (CVE-2021-3007) that could be exploited to achieve remote code execution.

Liferay Portal is a platform for Java developers to build services, user interfaces, custom applications, or to implement ready-made ones. The open-source Community Edition version before 7.2.1 has critical vulnerability (CVE-2020-7961) that allows remote execution of arbitrary code.

TerraMaster is the operating system powering the NAS devices with the same name. Versions 4.2.06 and below suffer from a remote command execution bug (CVE-2020-28188, also critical severity) that allows complete control of the device.

Creating a botnet

Security researchers at Check Point discovered the FreakOut attacks and say that infected Linux devices join a botnet that could help deploy other cyberattacks. They say that the controller could use the infected machines to mine for cryptocurrency, to spread laterally across a company network, or to aim at other targets while masquerading as the compromised company.

FreakOut malware is new on the scene and can serve for port scanning, collect information, network sniffing, or to launch distributed denial-of-service (DDoS) attacks.

The infection chain starts with exploiting one of the three critical vulnerabilities and continues with uploading a Python script (out.py) on the compromised machine.

The attacker tries to run the script using Python 2, which reached end of life in 2020. Check Point believes that this is an indication of the threat actor assuming that the compromised machine is outdated and still has Python 2 installed.

Check Point discovered the attack on January 8, 2021, when they noticed the malicious script being downloaded from hxxp://gxbrowser[.]net. Since then the researchers observed hundreds of attempts to download the code.

Author leaves calling card in comments

Digging deeper, the researchers found earlier versions of the FreakOut Python script. One variant, which included comments and even the name of the developer – Freak, had been updated on the first day of the year.

The researchers say that comparing the two Python scripts and the comments helped them learn about what it can do, who made it, the IRC-based communication method.

In a technical report today, Check Point provides a large list of the FreakOut malware capabilities along with details about the author and the infected systems.

When analyzing the malware, the researchers discovered the credentials for the IRC channel used to send commands to the infected hosts. They found that the IRC server had been created in late November 2020 and had been running with 300 users and five channels.

The most active channel, #update, showed 186 compromised devices replying to the server.

The search for the malware author started from the Freak name found in the Python script and the IRC bot name “N3Cr0m0rPh.” These clues led to a user named “Fl0urite,” who had advertised an IRC bot on a hacker forum back in 2015.

While there are differences between the current version and the older one from 2015, there are many similar capabilities, say Check Point researchers.

Looking for more clues about the identity of the malware author, the researchers discovered a modified Darkcomet code on Pastebin from January 12, 2021, that lists Fl0urite/Freak as the author.

Also Read: The 5 Benefits Of Outsourcing Data Protection Officer Service

FrakOut botnet is still in the early stages and its current task is to deploy the XMRig cryptocurrency miner on infected hosts. However, Check Point warns that the botnet grew significantly in a short period and highlights that the other capabilities of the malware could be used for more damaging attacks.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us