9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
Over the last few days, Imperva researchers have monitored the emergence of a new botnet, one whose primary activity is performing different DDoS attacks and mining cryptocurrency. It also acts as a worm trying to extend its reach by scanning specific subnets and ports and using different remote code execution (CVE) vulnerabilities in an effort to infect them.
This particular botnet attack is unique given its rapid exploitation of the latest web vulnerabilities as a way to extend its reach and size.
The first recorded attack attempt took place on January 8. Since then, we’ve seen hundreds of attacks from many different IPs.
The captured attacks seem to take advantage of some of the most recently published RCE vulnerabilities. For example:
A deserialization vulnerability in Zend Framework (known as CVE-2021-3007) that was published only 4 days before the first incident!
A TerraMaster unauthenticated command-execution vulnerability (known as CVE-2020-35665)
The deserialization of Untrusted Data in Liferay Portal (known as CVE-2020-7961)
One of the attack vectors that has been captured is the TerraMaster unauthenticated command-execution vulnerability (CVE-2020-35665), first published in late December 2020. We've monitored exploits attempts since it was published, expecting to see an increase in the amount of attack attempts of this kind weeks after discovery. But, we noticed the numbers have grown significantly as of January 8, even more than expected.
In this case, the tool tries to access a specific URL using the "Event" parameter. The vulnerability allows the attacker to pipe a bash command that downloads and runs a Python malware from hXXp://gxbrowser[.]net[/]out[.]py.
The malware itself is highly obfuscated and contains, as mentioned, different kinds of capabilities: scanning, botnet attacks, C&C communication and spreading to new targets.
First, we can see that this tool has scanning ability in ports 80, 443, 8443 and 8080:
In addition, the tool uses various User-Agent for the scanning and generating HTTP requests.
In addition, we can see the C&C IRC-based communication with the server (gxbrowser.net:6667).
All of the C&C commands are listed below. They contain different commands to perform reconnaissance, different types of network floods, network amplification, shell/reverse shell, stop/start process and connection commands.
When you look closely at the code, you can see indications of various flood attack capabilities such as UDPflood, SYNflood, TCPflood, HTTPflood and Slowloris.
You can see this illustrated in the code below:
Besides the flood capabilities, the malware also has crypto-miner capabilities. As shown in the figure below, the malware exploits the new Zend Framework vulnerability (CVE-2021-3007) to run XMRig, a crypto-mining tool that uses the attacked machine resources to mine digital currency.
The malware also tries to get a persistent foothold by adding the Python script inside with boot.py to the rc.local file, so it can run after reboot.
Imperva Research Labs has discovered more than 100 attack attempts on our customers. However, we believe the attack surface for this particular threat is much bigger than we’d usually see. Rough estimation based on public facing servers shows more than 10,000 potential victims.
This is a very interesting and unique case of a complex botnet attack that quickly exploits the latest published vulnerabilities. It requires us, as part of the security community, to act faster than ever before.
Imperva Web Application Firewall (WAF) customers were protected from this attack due to our RCE detection rules, although the attack vector is new and exploits the latest vulnerabilities.
The post Python Cryptominer Botnet Quickly Adopts Latest Vulnerabilities appeared first on Blog.
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C