Linux users should patch now to block new “FreakOut” malware which exploits new vulnerabilities
Recently, Check Point Research (CPR) encountered several attacks that are exploiting multiple vulnerabilities, including some recently discovered flaws. These ongoing attacks involve a new malware variant, called ‘FreakOut.’ The goal behind these attacks is to create an IRC botnet (a collection of machines infected with malware that can be controlled remotely), which can then be used for malicious activities, such as launching DDoS attacks on other organizations’ networks, or for crypto-mining activity on infected machines, which can potentially shut down entire systems infected.
The attacks are aimed at Linux devices that run one of the following products, which all have relatively new vulnerabilities that are exploited by the FreakOut malware if the products have not being patched:
- TerraMaster TOS (TerraMaster Operating System), a well-known vendor of data storage devices
- Zend Framework, a popular collection of library packages, used for building web applications
- Liferay Portal, a free, open-source enterprise portal, with features for developing web portals and websites
If successfully exploited, each device infected by the FreakOut malware can be used as a remote-controlled attack platform by the threat actors behind the attack, enabling them to target other vulnerable devices to expand their network of infected machines. The FreakOut malware’s capabilities include port scanning, information gathering, creation and sending of data packets, network sniffing, and the capability to launch DDoS and network flooding attacks.
The attack exploits the following CVE’s :
- CVE-2020-28188 – released 28/12/20 – TerraMaster TOS
- CVE-2021-3007 – released 3/1/21 – Zend Framework
- CVE-2020-7961 – released 20/03/20 – Liferay Portal
Patches are available for all products impacted in these CVEs, and users of these products are advised to urgently check any of these devices they are using and to update and patch them to close off these vulnerabilities.
FreakOut’s Impact
Based on our code review, the attacker can use systems compromised by FreakOut for further malicious activity, such as crypto-mining, spreading laterally across corporate networks, or launching DDoS attacks on other organizations’ networks, which can shut down the entire systems infected.
Our research found evidence from the attack campaign’s main C&C server that around 185 devices had been hacked.
Between January 8th – 13th we have seen over 380 attack attempts against Check Point customers, and all of them were blocked by Check Point solutions. According to our global network of threat sensors, the geographies that were most targeted were North America and Western Europe.
| Countries | Percentages |
| US | 27.01% |
| IT | 6.61% |
| GB | 5.46% |
| NL | 5.17% |
| CN | 4.89% |
| BR | 3.74% |
| DE | 3.45% |
| ES | 3.45% |
| RU | 3.45% |
| SG | 3.16% |
The industry sectors´ most targeted were finance, government and healthcare organizations.
| Industry | Percentage |
| Finance/Banking | 26.47% |
| Government/Military | 23.53% |
| Healthcare | 19.33% |
| Retail/Wholesale | 8.82% |
| Insurance/Legal | 5.04% |
| Education/Research | 3.36% |
| Manufacturing | 2.52% |
| Transportation | 2.52% |
Protections
Check Point customers are protected from this attack by these protections:
IPS
- TerraMaster TOS Command Injection (CVE-2020-28188).
- Liferay Portal Insecure Deserialization (CVE-2020-7961).
- Zend Framework Remote Code Execution (CVE-2021-3007).
- CMD Injection Over HTTP
Anti-Bot
- Win32.IRC.G
- TC.a
- Win32.N3Cr0m0rPh.TC.a
- Win32.N3Cr0m0rPh.TC.b
- Win32.N3Cr0m0rPh.TC.c
- Win32.N3Cr0m0rPh.TC.d
For TerraMaster, the fixes will be implemented in version 4.2.07
Liferay Portal users should upgrade to Liferay Portal 7.2 CE GA2 (7.2.1) or later.
The maintainer no longer supports the Zend framework, and the lamins-http vendor released a relevant patch for this vulnerability should use 2.14.x bugfix release (patch)
Security tips to remain protected
- We strongly recommend users check and patch their servers and Linux devices in order to prevent the exploitation of such vulnerabilities by FreakOut
- Intrusion Prevention Systems (IPS) prevent attempts to exploit weaknesses in vulnerable systems or applications, protecting you in the race to exploit the latest breaking threat. Updated IPS helps your organization stay protected.
- Endpoint protections: Conventional signature-based Anti-Virus is a highly efficient solution for preventing known attacks and should definitely be implemented in any organization, as it protects against a majority of the malware attacks that an organization faces.
- Comprehensive advanced endpoint protection at the highest security level is crucial in order to avoid security breaches and data compromises
Conclusion
“FreakOut” is an attack campaign that exploits three vulnerabilities, including some newly released, to compromise different servers. The threat actor behind the attack, named “Freak”, managed to infect many devices in a short period of time, and incorporated them into a botnet, which in turn could be used for DDoS attacks and crypto-mining. Such attack campaigns highlight the importance and significance of checking and protecting your assets as an on-going basis. This ongoing campaign can spread quickly, as we have seen.
.
