Threat Intel Flash: Sisense Data Compromise: ARC Labs Intelligence Flash

Get the Latest
Binary Defense Full Color Logo Dark Markless Binary Defense Full Color Logo Dark Markless Binary Defense Full Color Logo Light Markless Binary Defense Full Color Logo Light Markless

Search

Binary Defense Full Color Logo Dark Markless Binary Defense Full Color Logo Dark Markless Binary Defense Full Color Logo Light Markless Binary Defense Full Color Logo Light Markless

New FreakOut Campaign Using Old IRC Botnet to Mine Cryptocurrency

Last Modified: Wednesday April 19, 2023

By

Check Point Research has recently discovered a campaign they are calling “FreakOut” that targets unpatched vulnerabilities in Linux servers. The campaign currently makes use of three known vulnerabilities:

  • Remote code execution in Zend Framework 3.0.0 (CVE-2021-3007)
  • Remote code execution in Liferay Portal before 7.2.1 CE GA2 (CVE-2020-7961)
  • Remote command execution in TerraMaster TOS up to version 4.2.06 (CVE-2020-28188)

If any of these vulnerabilities are found on a Linux server and successfully exploited, an obfuscated Python 2 script is installed. Researchers discovered that the threat actors behind the campaign use a botnet that they call “N3Cr0m0rPh” to communicate with infected systems via Internet Relay Chat (IRC). Although the vulnerabilities are recent, the N3Cr0m0rPh appears to have origins as far back as 2015. The bot was created by a threat actor going by the name “Freak” who posted the bot for sale under the name “Fl0urite” on HackForums. A variation of the bot found by Check Point has been updated as recently as January 1st this year. N3Cr0m0rPh has many features common to botnets, including:

  • Port scanning
  • Creating host victim fingerprints
  • Brute force over Telnet
  • Network sniffing
  • Spread via exploits (listed above)
  • Persistence
  • DDoS (Slowloris)
  • Reverse shell
  • Process termination
  • Cryptocurrency mining

Analyst Notes

Developers of the Zend Framework dispute the vulnerability lies within the framework and insists that it must be introduced through the application. Despite this, a patch has been released in the Laminas project. Developers utilizing Zend Framework are highly encouraged to migrate from the deprecated framework to its successor, Laminas. A 2019 security advisory for Liferay Portal suggests that organizations should update to version 7.2.1 or later to remediate CVE-2020-7961. Binary Defense recommends opting for the current 7.3.2 release. Organizations deploying TarraMaster TOS NAS devices should update to version 4.2.07 which addresses several vulnerabilities including CVE-2020-28188. Python 2 has reached its end-of-life and should be replaced with Python 3 or limited in use to known legacy scripts that have been validated.

Source: https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/

You May Also Like

Threat

Apr. 11, 2023

Yum Brands Reports Breach After Ransomware Attack

Yum Brands, the parent company of popular fast-food chains KFC, Pizza Hut, and Taco Bell, has disclosed a data breach after a ransomware attack…

Read More

Threat

Apr. 11, 2023

Apple Releases Emergency Updates For Older iOS Devices After Recent Discovery Of Zero-Day Vulnerabilities

Read More

Threat

Apr. 10, 2023

Various Industries in Israel Dealing with Cyber Issues

Read More