9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
A new wormable botnet that spreads via GitHub and Pastebin to install cryptocurrency miners and backdoors on target systems has returned with expanded capabilities to compromise web applications, IP cameras, and routers.
Early last month, researchers from Juniper Threat Labs documented a crypto-mining campaign called βGitpaste-12,β which used GitHub to host malicious code containing as many as 12 known attack modules that are executed via commands downloaded from a Pastebin URL.
The attacks occurred during a 12-day period starting from October 15, 2020, before both the Pastebin URL and repository were shut down on October 30, 2020.
Now according to Juniper, the second wave of attacks began on November 10 using payloads from a different GitHub repository, which, among others, contains a Linux crypto-miner (βlsβ), a file with a list of passwords for brute-force attempts (βpassβ), and a local privilege escalation exploit for x86_64 Linux systems.
The initial infection happens via X10-unix, a binary written in Go programming language, that proceeds to download the next-stage payloads from GitHub.
βThe worm conducts a wide-ranging series of attacks targeting web applications, IP cameras, routers and more, comprising at least 31 known vulnerabilities β seven of which were also seen in the previous Gitpaste-12 sample β as well as attempts to compromise open Android Debug Bridge connections and existing malware backdoors,β Juniper researcher Asher Langton noted in a Monday analysis.
Included in the list of 31 vulnerabilities are remote code flaws in F5 BIG-IP Traffic Management User Interface (CVE-2020-5902), Pi-hole Web (CVE-2020-8816), Tenda AC15 AC1900 (CVE-2020-10987), and vBulletin (CVE-2020-17496), and an SQL injection bug in FUEL CMS (CVE-2020-17463), all of which came to light this year.
Itβs worth noting that Ttint, a new variant of the Mirai botnet, was observed in October using two Tenda router zero-day vulnerabilities, including CVE-2020-10987, to spread a Remote Access Trojan (RAT) capable of carrying out denial-of-service attacks, execute malicious commands, and implement a reverse shell for remote access.
Aside from installing X10-unix and the Monero crypto mining software on the machine, the malware also opens a backdoor listening on ports 30004 and 30006, uploads the victimβs external IP address to a private Pastebin paste, and attempts to connect to Android Debug Bridge connections on port 5555.
On a successful connection, it proceeds to download an Android APK file (βweixin.apkβ) that eventually installs an ARM CPU version of X10-unix.
In all, at least 100 distinct hosts have been spotted propagating the infection, per Juniper estimates.
The complete set of malicious binaries and other relevant Indicators of Compromise (IoCs) associated with the campaign can be accessed here.
Found this article interesting? Follow THN on Facebook, Twitter ο and LinkedIn to read more exclusive content we post.
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C