SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Check Point uncovers live Linux attack, urges users to take action
Wed, 20th Jan 2021
FYI, this story is more than a year old

A live cyber attack campaign is currently targeting Linux systems, with users urged to patch now, according to Check Point Research.

The researchers have spotted an ongoing attack campaign exploiting recently-discovered vulnerabilities in Linux systems to create a botnet, a collection of machines infected with malware that can be controlled remotely.

The attacks involve a new malware variant called 'FreakOut', capable of conducting port scanning, information gathering, network sniffing, DDoS and flooding.

If successfully exploited, each infected device can be used as an attack platform to launch further cyber attacks, such as using system resources for crypto-mining, spreading laterally across a company network, or launching attacks on outside targets while masquerading as a compromised company.

The attacks are aimed at Linux devices that run one of the following:

  • TerraMaster TOS (TerraMaster Operating System), a well-known vendor of data storage devices
  • Zend Framework, a popular collection of library packages, used for building web applications
  • Liferay Portal, a free, open source enterprise portal, with features for developing web portals and websites

The attack exploits the following CVE's :

  • CVE-2020-28188, released 28/12/20, TerraMaster TOS
  • CVE-2021-3007, released 3/1/21, Zend Framework
  • CVE-2020-7961, released 20/03/20, Liferay Portal

So far, Check Point researchers were able to track 185 victims infected with the malware. In addition, it has seen over 380 additional attacks, prevented by Check Point.

The top industries targeted were finance and government, including military.

The threat actor behind the attacks is a long-time cybercrime hacker using several nicknames, such as Fl0urite and Freak.

Check Point researchers have yet to pinpoint the attacker's exact identity.

According to the researchers, the infection chain is as follows:

  • The attacker begins by installing malware via the exploitation of three vulnerabilities: CVE-2020-28188, CVE-2021-3007 and CVE-2020-7961.
  • Then, the attacker uploads and executes a Python script on the compromised devices.
  • Now, the attacker installs XMRig, a known coinminer.
  • From there, the attacker conducts lateral movement in the network through exploitation of the CVEs.

Check Point researchers urge users to patch the vulnerable frameworks TerraMaster TOS , Zend Framework, Liferay Portal, if they use it.

In addition, the researchers recommend the implementation of both network cyber security solutions, such as IPS, and endpoint cyber security solutions, in order to prevent such attacks.

Check Point head of network cyber security research Adi Ikan says, “What we have identified is a live and ongoing cyber attack campaign targeting specific Linux users.

"The attacker behind this campaign is very experienced in cybercrime and highly dangerous. The fact that some of the vulnerabilities exploited were just published highlights the significance of securing your network on an on-going basis with the latest patches and updates.

"Responsiveness and urgency are very relevant when it comes to securing your organization. I strongly urge all relevant users to patch the vulnerable frameworks TerraMaster TOS, Zend Framework, and Liferay Portal.