New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


New FreakOut Campaign Using Old IRC Botnet to Mine Cryptocurrency

Check Point Research has recently discovered a campaign they are calling “FreakOut” that targets unpatched vulnerabilities in Linux servers. The campaign currently makes use of three known vulnerabilities:

  • Remote code execution in Zend Framework 3.0.0 (CVE-2021-3007)
  • Remote code execution in Liferay Portal before 7.2.1 CE GA2 (CVE-2020-7961)
  • Remote command execution in TerraMaster TOS up to version 4.2.06 (CVE-2020-28188)

If any of these vulnerabilities are found on a Linux server and successfully exploited, an obfuscated Python 2 script is installed. Researchers discovered that the threat actors behind the campaign use a botnet that they call “N3Cr0m0rPh” to communicate with infected systems via Internet Relay Chat (IRC). Although the vulnerabilities are recent, the N3Cr0m0rPh appears to have origins as far back as 2015. The bot was created by a threat actor going by the name “Freak” who posted the bot for sale under the name “Fl0urite” on HackForums. A variation of the bot found by Check Point has been updated as recently as January 1st this year. N3Cr0m0rPh has many features common to botnets, including:

  • Port scanning
  • Creating host victim fingerprints
  • Brute force over Telnet
  • Network sniffing
  • Spread via exploits (listed above)
  • Persistence
  • DDoS (Slowloris)
  • Reverse shell
  • Process termination
  • Cryptocurrency mining

Analyst Notes

Developers of the Zend Framework dispute the vulnerability lies within the framework and insists that it must be introduced through the application. Despite this, a patch has been released in the Laminas project. Developers utilizing Zend Framework are highly encouraged to migrate from the deprecated framework to its successor, Laminas. A 2019 security advisory for Liferay Portal suggests that organizations should update to version 7.2.1 or later to remediate CVE-2020-7961. Binary Defense recommends opting for the current 7.3.2 release. Organizations deploying TarraMaster TOS NAS devices should update to version 4.2.07 which addresses several vulnerabilities including CVE-2020-28188. Python 2 has reached its end-of-life and should be replaced with Python 3 or limited in use to known legacy scripts that have been validated.