Finance, government and healthcare organizations in North America and Western Europe were the sectors most targeted.
Linux users are now being targeted by new malware variants that exploit multiple vulnerabilities.
The goal behind these attacks is to create an IRC botnet—a collection of machines infected with malware that can be controlled remotely. The botnet can then be used for malicious activities such as DDoS attacks or crypto-mining on infected machines.
Devices running one of the following products and have not been patched against recent vulnerabilities are the targets of this variant called FreakOut malware:
- TerraMaster TOS (TerraMaster Operating System), a well-known vendor of data storage devices
- Zend Framework, a popular collection of library packages, used for building web applications
- Liferay Portal, a free, open-source enterprise portal, with features for developing web portals and websites
If successfully exploited, each device infected by the malware can be used as a remote-controlled attack platform by the threat actors, enabling them to target other vulnerable devices to expand their network of infected machines.
Targeting three vulnerabilities
FreakOut malware is an attack campaign that exploits three vulnerabilities to compromise different servers. The threat actor behind the attack, named “Freak”, managed to infect many devices in a short period of time, and incorporated them into a botnet, which in turn could be used for DDoS attacks and crypto-mining.
The FreakOut malware’s capabilities include port scanning, information gathering, creation and sending of data packets, network sniffing, and the capability to launch DDoS and network flooding attacks.
The attack exploits the following CVE’s:
- CVE-2020-28188 – released 28/12/20 – TerraMaster TOS
- CVE-2021-3007 – released 3/1/21 – Zend Framework
- CVE-2020-7961 – released 20/03/20 – Liferay Portal
Patches are available for all products impacted in these CVEs, and users of these products are advised to urgently check any of these devices they are using and to update and patch them to close off these vulnerabilities, according to Check Point, the firm that disclosed the findings on FreakOut.
Around 185 devices hacked
Check Point’s research found evidence from the attack campaign’s main command and control server that around 185 devices had been hacked. Between 8 Jan and 13 Jan 2021, over 380 attack attempts against Check Point customers had been logged, and all of them were blocked.
According to the firm’s global network of threat sensors, the geographies that were most targeted were North America and Western Europe, with finance, government and healthcare organizations as the sectors most targeted.
Such attack campaigns highlight the importance and significance of checking and protecting assets as an ongoing basis via intrusion prevention systems and endpoint protection.