- Aug 17, 2014
A newly identified botnet is targeting unpatched applications running on top of Linux systems, Check Point security researchers said in a report today.
First seen in November 2020, the FreakOut botnet has surfaced again in a new series of attacks this month.
Its current targets include TerraMaster data storage units, web applications built on top of the Zend PHP Framework, and websites running the Liferay Portal content management system.
Check Point says the FreakOut operator is mass-scanning the internet for these applications and then utilizing exploits for three vulnerabilities in order to gain control of the underlying Linux system.
All three vulnerabilities (listed below) are fairly recent, which means there's a high chance that FreakOut exploitation attempts are succeeding as many systems could still be lagging behind on their patches.
Once the FreakOut bot gains access to a system, it's immediate step is to download and run a Python script that connects the infected devices to a remote IRC channel where the attacker can send commands and orchestrate a varied list of attacks using the enslaved devices.
According to a Check Point technical report published today, the list of commands that FreakOut bots can run includes the likes of:
- Gathering info on the infected system;
- Creating and sending UDP and TCP packets;
- Executing Telnet brute-force attacks using a list of hardcoded credentials;
- Running a port scan;
- Executing an ARP poisoning attack on the device's local network;
- Opening a reverse shell on the infected host;
- Killing local processes; and more.
The botnet comes with features that can be used for DDoS attacks, ARP poisoning, hidden crypto-mining, launching brute-force attacks, and more.