Live Cyber Attack Campaign Targets Linux Systems. User Urged to Patch Now
January 2021 by Check Point
Check Point Research has spotted an ongoing attack campaign exploiting recently-discovered vulnerabilities in Linux systems to create a botnet, a collection of machines infected with malware that can be controlled remotely. The attacks involve a new malware variant called “FreakOut”, capable of conducting port scanning, information gathering, network sniffing, DDoS and flooding. If successfully exploited, each infected device can be used as an attack platform to launch further cyber attacks, such as using system resources for crypto-mining, spreading laterally across a company network, or launching attacks on outside targets while masquerading as a compromised company.
• 185 victims infected with new malware variant
• 27% of attack attempts were seen in the US alone. Other attack attempts were seen in UK, Italy, Netherlands and Germany.
• Top industries targeted are Finance and Government, including military.
The attacks are aimed at Linux devices that run one of the following:
• TerraMaster TOS (TerraMaster Operating System), a well-known vendor of data storage devices
• Zend Framework, a popular collection of library packages, used for building web applications
• Liferay Portal, a free, open-source enterprise portal, with features for developing web portals and websites
The attack exploits the following CVE’s :
• CVE-2020-28188 – released 28/12/20 – TerraMaster TOS
• CVE-2021-3007 – released 3/1/21 – Zend Framework
• CVE-2020-7961 – released 20/03/20 – Liferay Portal
So far, Check Point researchers were able to track 185 victims infected with the malware. In addition, it has seen over 380 additional attacks, which were prevented by Check Point, in the following distribution: more than 27% of the attack attempts were seen in the US alone. Other attack attempts were seen in UK, Italy, Netherlands and Germany. The top industries targeted were Finance and Government, including military.
Country % of Attack Attempts
The threat actor behind the attacks is a long-time cybercrime hacker using several nicknames, such as Fl0urite and Freak. Check Point researchers have yet to pinpoint the attacker’s exact identity.
1. The attacker begins by installing malware via the exploitation of three vulnerabilities: CVE-2020-28188, CVE-2021-3007 and CVE-2020-7961.
2. Then, the attacker uploads and executes a Python script on the compromised devices.
3. Now, the attacker installs XMRig, a known coinminer
4. From there, the attacker conducts lateral movement in the network through exploitation of the CVEs
Check Point researchers urge users to patch the vulnerable frameworks TerraMaster TOS , Zend Framework, Liferay Portal, if they use it. In addition, the researchers recommend the implementation of both network cyber security solutions, such as IPS, and endpoint cyber security solutions, in order to prevent such attacks.
Head of Network Cyber Security Research at Check Point, Adi Ikan said: “What we have identified is a live and ongoing cyber attack campaign targeting specific Linux users. The attacker behind this campaign is very experienced in cybercrime and highly dangerous. The fact that some of the vulnerabilities exploited were just published highlights the significance of securing your network on an on-going basis with the latest patches and updates. Responsiveness and urgency are very relevant when it comes to securing your organization. I strongly urge all relevant users to patch the vulnerable frameworks TerraMaster TOS, Zend Framework, and Liferay Portal.”