Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/21/2021
06:40 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

DreamBus, FreakOut Botnets Pose New Threat to Linux Systems

Researchers from Zscaler and Check Point describe botnets as designed for DDoS attacks, cryptocurrency mining, and other malicious purposes.

Two dangerous new botnets have emerged in recent days targeting Linux-based systems worldwide.

One of them, dubbed "DreamBus," is malware with worm-like behavior that is capable of propagating itself both across the Internet and laterally through compromised internal networks using a variety of techniques.

Related Content:

APT Groups Set Sights on Linux Targets: Inside the Trend

Special Report: Understanding Your Cyber Attackers

New From The Edge: Hacker Pig Latin: A Base64 Primer for Security Analysts

Researchers at Zscaler who recently analyzed the threat described DreamBus as a modular piece of malware targeting Linux applications running on hardware systems with powerful CPUs and large amounts of memory.

The DreamBus botnet that has been assembled from systems the malware has compromised is currently being used to deploy the XMRig CPU miner to mine Monero cryptocurrency. But the same malware can be easily repurposed to deliver other more dangerous payloads, such as ransomware and malware, for stealing and holding data at ransom, says Brett Stone-Gross, director of threat intelligence at Zscaler.

"DreamBus can deploy arbitrary modules and execute arbitrary commands on a remote system," he says. "Given the prevalence of the software applications that are targeted and the aggressive worm-like spreading techniques, the number [of compromised systems is] likely in the tens of thousands."

In its advisory, Zscaler described DreamBus as having a variety of modules for self-propagation across the Interent and corprorate networks.

The malware can spread among systems that are not exposed to the Internet by scanning non-public RFC 1918 IP address space for vulnerable Linux systems. Among the many modules the malware uses for propagation are those that exploit implict trust and weak passwords and that enable unauthenticated remote code execution on applications such as Secure Shell (SSH), cloud-based apps and databases, and administration tools. Some of the malware's application-specific exploits include those targeting Apache Spark, SaltStack, Hadoop YARN, and HashiCorp Consul.

DreamBus' main component is a binary in Executable and Linkable Format (ELF) that can spread over SSH or is downloaded over HTTP. The botnet's command-and-control infrastructure is hosted on the TOR network and on anonymous file-sharing services that leverage the HTTP protocol, according to Zscaler. Available telemetry suggests the botnet operators are based in Russia or an East European country, Zscaler said.

"There is no single initial attack vector since each component is capable of compromising a system," Stone-Gross says. Most of the vulnerabilities that are exploited are either weak passwords or an application vulnerability where authentication is either not required — implicit trust — or can easily be bypassed such as SaltStack.

One key feature of DreamBus is that it can spread laterally in an internal network that is not publicly accessible, Stone-Gross says.  

"Systems behind a corporate firewall are often not as well protected because individuals may incorrectly assume that only other employees have access to the network," he says.

FreakOut Botnet
Meanwhile, Check Point earlier this week said it had observed a botnet, which it dubbed "FreakOut," targeting systems running vulnerable versions of the TerraMaster operating system for network attached storage servers, web apps and services using the Zend Framework, and the Liferay Portal CMS.

The malware is designed to exploit a newly disclosed vulnerablity in each of the three technologies: a command injection flaw in TerraMaster TOS (CVE-2020-28188), an insecure deserialization bug in Liferay Portal (CVE-2020-7961), and a remote code execution flaw in the Zend Framework (CVE-2021-3007).

Machines that the malware has compromised have been assembled into a botnet that is being used in distributed denial-of-service (DDoS_ attacks and for cryptomining purposes, Check Point said.

Adi Ikan, a security researcher at Check Point, says the company has direct evidence of more than 185 infected servers that are currently part of the FreakOut botnet. Check Point researchers have also observed hundreds of other additional attack attempts, most of which have been in the US and, to a lesser extent, European countries such as Germany and The Netherlands.

"Based on our sensors, there are more than 9,000 servers that are vulnerable to those vulnerabilities and are also exposed to the Internet," Ikan says. The fact that the attacker is targeting very new vulnerabilities in each of three Linux technologies is significant because it highlights the importance of addressing security issues quickly.

"The malware associated with this campaign is well-equipped with its capabilities [and is designed] to conduct various malicious activities," Ikan says.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-20733
PUBLISHED: 2021-06-22
Improper authorization in handler for custom URL scheme vulnerability in ????????? (asken diet) for Android versions from v.3.0.0 to v.4.2.x allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App.
CVE-2021-20734
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in Welcart e-Commerce versions prior to 2.2.4 allows remote attackers to inject arbitrary script or HTML via unspecified vectors.
CVE-2021-20735
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in ETUNA EC-CUBE plugins (Delivery slip number plugin (3.0 series) 1.0.10 and earlier, Delivery slip number csv bulk registration plugin (3.0 series) 1.0.8 and earlier, and Delivery slip number mail plugin (3.0 series) 1.0.8 and earlier) allows remote attackers to ...
CVE-2021-20736
PUBLISHED: 2021-06-22
NoSQL injection vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to obtain and/or alter the information stored in the database via unspecified vectors.
CVE-2021-20737
PUBLISHED: 2021-06-22
Improper authentication vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to view the unauthorized pages without access privileges via unspecified vectors.