Skip to content

New FreakOut botnet targets Linux-based systems worldwide

FreakOut is a new botnet observed by specialists from CheckPoint. It targets Linux systems running vulnerable versions of the TerraMaster OS for network-attached storage servers, web apps and services using the Zend Framework, and the Liferay Portal CMS. The largest number of hits was discovered in the USA and, to a lesser extent, European countries such as Germany and The Netherlands. More information can be found below…

New FreakOut botnet targets Linux systems running unpatched software

CheckPoint researchers are warning that there is a novel malware variant which is targeting Linux devices, in order to add them to a botnet.

The FreakOut operator is mass-scanning the internet for vulnerable applications and then utilizing exploits for these vulnerabilities in order to gain control of the underlying Linux system. Its current targets include TerraMaster data storage units, web applications built on top of the Zend PHP Framework, and websites running the Liferay Portal content management system. All three vulnerabilities are fairly recent and there is a high chance that many systems will be still unpatched.

CVE-2020-28188 – RCE in TerraMaster management panel (disclosed on December 24, 2020)
CVE-2021-3007 – deserialization bug in the Zend Framework (disclosed on January 3, 2021)
CVE-2020-7961 – deserialization bug in the Liferay Portal (disclosed on March 20, 2020)

Image: Check Point
FreakOut botnet – it gains access and then what?

Once the FreakOut bot gains access to a system, it’s immediate step is to download and run a Python script that connects the infected devices to a remote IRC channel where the attacker can send commands and orchestrate a varied list of attacks using the enslaved devices. What will be the next step?

  • Gathering info on the infected system;
  • Creating and sending UDP and TCP packets;
  • Executing Telnet brute-force attacks using a list of hardcoded credentials;
  • Running a port scan;
  • Executing an ARP poisoning attack on the device’s local network;
  • Opening a reverse shell on the infected host;
  • Killing local processes; and more.

Check Point argues that these functions can be combined to perform various operations, like launching DDoS attacks, installing cryptocurrency miners, turning infected bots into a proxy network, or launching attacks on the internal network of an infected device.

The newest stats shown in the IRC panel suggest the botnet is only controlling around 180 infected systems. These are low numbers for a botnet but more than enough to launch very capable DDoS attacks, ARP poisoning, hidden crypto-mining, launching brute-force attacks, or something worse.


DNSpooq bugs let attackers hijack DNS on millions of devices

DNSpooq is a collective name for seven Dnsmasq vulnerabilities that can be exploited to launch DNS cache poisoning, remote code execution, and denial-of-service attacks against millions of affected devices. It was discovered by Israeli security consultancy firm JSOF. 

Dnsmasq is a popular and open-source Domain Name System (DNS) forwarding software regularly used that adds DNS caching and Dynamic Host Configuration Protocol (DHCP) server capabilities to Internet-of-Things (IoT) and various other embedded devices.

There is not yet known the full number of companies that use vulnerable versions but a list of customers include Android/Google, Comcast, Cisco, Redhat, Netgear, Qualcomm, Linksys, Netgear, IBM, D-Link, Dell, Huawei, and Ubiquiti.

Three of the DNSpooq vulnerabilities (tracked as CVE-2020-25686, CVE-2020-25684, CVE-2020-25685) allow for both DNS cache poisoning attacks (also known as DNS spoofing). It is an attack method that allows threat actors to replace legitimate DNS records on a device with ones of their choosing. Using this attack, threat actors can redirect users to malicious servers under their control, while to the visitors it appears as if they are visiting the legitimate site.

Image: JSOF

The rest of them are buffer overflow vulnerabilities tracked as CVE-2020-25687, CVE-2020-25683, CVE-2020-25682, and CVE-2020-25681 that could let attackers remotely execute arbitrary code on vulnerable networking equipment when Dnsmasq is configured to use DNSSEC.

Attacks exploiting the DNSpooq security bugs are quite easy to carry out and do not require any unusual techniques or tools. The attack can be completed successfully in seconds or a few minutes, and has no special requirements. 

More than 1 million Dnsmasq servers are currently exposed on the Internet according to Shodan and over 630,000 according to BinaryEdge, with millions of other routers, VPNs, smartphones, tablets, infotainment systems, modems, access points, drones, and similar equipment not accessible over Internet also vulnerable to attacks.

To fully mitigate attacks attempting to exploit DNSpooq flaws, JSOF advises updating the Dnsmasq software to the latest version (2.83 or later).


Hackers accidentally exposed stolen credentials to the public internet

Hackers behind a massive phishing campaign forgot to protect their loot and as a result they allowed users to google the stolen data.

The phishing campaign has been running for more than half a year and uses dozens of domains that host the phishing pages. It receives regular updates to make the fraudulent Microsoft Office 365 login requests look more realistic. Despite its simplicity attackers collected at least 1,000 login credentials for corporate Office 365 accounts.

The attackers exfiltrated the information to domains they had registered specifically for the task. Their mistake was that they put the data in a publicly visible file that Google indexed. As a result, Google could show results for queries of a stolen email address or password.

Phishing – why is it so effective?

The attackers used several phishing email themes to lure potential victims into loading the landing page that collected their Microsoft Office 365 username and password. The malicious emails had the target’s first name or company title in the subject line and purported to deliver a Xerox scan notification in HTML format.

Opening the attachment loaded in the default web browser a blurred image overlaid by a fake Microsoft Office 365 login form. The username field is already populated with the victim’s email address, which typically removes suspicion of login theft.

A JavaScript code running in the background checks the validity of the credentials, sends them to the attacker’s drop-zone server, and redirects the victim to the legitimate Office 365 login page as a distraction.

Who got the biggest hit? 

Processing information from about 500 entries, the researchers could determine that companies in the construction, energy, and IT sectors were the most prevalent targets of these phishing attacks.


Malwarebytes hacked by the same group who breached SolarWinds

Last week, US cyber-security firm Malwarebytes said it was hacked by the same group which breached IT software company SolarWinds last year – known as UNC2452 or Dark Halo. The attack was not related to the SolarWinds supply chain incident since the company doesn’t use any of its software. 

Instead, the security firm said the hackers breached its internal systems by exploiting a dormant email protection product within its Office 365 tenant. Malwarebytes said the threat actor added a self-signed certificate with credentials to the principal service account, subsequently using it to make API calls to request emails via Microsoft Graph.

Malwarebytes said it learned of the intrusion from the Microsoft Security Response Center (MSRC) on December 15, which detected suspicious activity coming from the dormant Office 365 security app.

Marcin Kleczyński, Malwarebytes co-founder and CEO said the attacker only gained access to a limited subset of internal company emails. He said they also performed a very thorough audit of all its products and their source code, searching for any signs of a similar compromise or past supply chain attack.

Result? The internal systems showed no evidence of unauthorized access or compromise in any on-premises and production environments. Thus company software was not affected and remains safe to use. 


About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Xopero
Xopero began in 2009, founded as a company serving primarily SMB users. Our goal was to create more accessible and affordable secure data protection solution for any businesses. In 2015, Xopero started cooperation with QNAP Inc. – one of the key global NAS providers. This addition expanded our portfolio to include a true backup appliance, In 2017, Xopero fully extended into global market thanks to cooperation with ESET. Our company took the place previously occupied by StorageCraft in the ESET Technological Alliance.