sb-eu logo
Story image

Check Point uncovers live Linux attack, urges users to take action

A live cyber attack campaign is currently targeting Linux systems, with users urged to patch now, according to Check Point Research.

The researchers have spotted an ongoing attack campaign exploiting recently-discovered vulnerabilities in Linux systems to create a botnet, a collection of machines infected with malware that can be controlled remotely.

The attacks involve a new malware variant called 'FreakOut', capable of conducting port scanning, information gathering, network sniffing, DDoS and flooding.

If successfully exploited, each infected device can be used as an attack platform to launch further cyber attacks, such as using system resources for crypto-mining, spreading laterally across a company network, or launching attacks on outside targets while masquerading as a compromised company.

The attacks are aimed at Linux devices that run one of the following:

  • TerraMaster TOS (TerraMaster Operating System), a well-known vendor of data storage devices
  • Zend Framework, a popular collection of library packages, used for building web applications
  • Liferay Portal, a free, open-source enterprise portal, with features for developing web portals and websites

The attack exploits the following CVE's :

  • CVE-2020-28188, released 28/12/20, TerraMaster TOS
  • CVE-2021-3007, released 3/1/21, Zend Framework
  • CVE-2020-7961, released 20/03/20, Liferay Portal

So far, Check Point researchers were able to track 185 victims infected with the malware. In addition, it has seen over 380 additional attacks, prevented by Check Point.

The top industries targeted were finance and government, including military.

The threat actor behind the attacks is a long-time cybercrime hacker using several nicknames, such as Fl0urite and Freak.

Check Point researchers have yet to pinpoint the attacker’s exact identity.

According to the researchers, the infection chain is as follows:

  • The attacker begins by installing malware via the exploitation of three vulnerabilities: CVE-2020-28188, CVE-2021-3007 and CVE-2020-7961.
  • Then, the attacker uploads and executes a Python script on the compromised devices.
  • Now, the attacker installs XMRig, a known coinminer.
  • From there, the attacker conducts lateral movement in the network through exploitation of the CVEs.

Check Point researchers urge users to patch the vulnerable frameworks TerraMaster TOS , Zend Framework, Liferay Portal, if they use it.

In addition, the researchers recommend the implementation of both network cyber security solutions, such as IPS, and endpoint cyber security solutions, in order to prevent such attacks.

Check Point head of network cyber security research Adi Ikan says, “What we have identified is a live and ongoing cyber attack campaign targeting specific Linux users.

"The attacker behind this campaign is very experienced in cybercrime and highly dangerous. The fact that some of the vulnerabilities exploited were just published highlights the significance of securing your network on an on-going basis with the latest patches and updates.

"Responsiveness and urgency are very relevant when it comes to securing your organization. I strongly urge all relevant users to patch the vulnerable frameworks TerraMaster TOS, Zend Framework, and Liferay Portal.”

Story image
Jetstack's new flagship product brings security to cloud native platforms
“With Jetstack Secure our customers can see a detailed view of each cluster and an instant visual status of all workload certificates, including their association with Kubernetes resources."More
Story image
Cybersecurity trends to look out for: Extortion among the top threats in 2021
Cyber-crime is evolving, driven by emerging trends — 2021 may be the first year when data extortion officially becomes the main threat to businesses worldwide.More
Story image
Ping Identity launches new verification service to reduce fraud
PingOne Verify is a new cloud service designed to help enterprise customers to verify their identity for rapid account onboarding, authentication and fraud prevention.More
Story image
ExtraHop reveals methods used by attackers in SUNBURST breach
The network detection and response company says between late March and early October 2020, detections of probable malicious activity increased by approximately 150%, including detections of lateral movement, privilege escalation and command and control beaconing.More
Story image
Palo Alto Networks adds more incentives to NextWave partner program
This latest launch brings a significant set of enhancements, incentives and training to the company’s NextWave Partner Program.More
Story image
Organisations investing significant time modifying web application firewalls to keep ahead of cybersecurity threats
"The sheer amount of traffic and potential threats can ensnare resources and impact the ability to introduce greater precision to those key systems."More