Researchers have revealed never-before-seen cross-platform malware that has infected a wide range of Linux and Windows devices, including small office routers, FreeBSD boxes and large enterprise servers.
Black Lotus Labs, the research arm of security firm Lumen, calls the malware Chaos, a word that appears repeatedly in the function names, certificates and filenames it uses. Chaos appeared no later than April 16, when the first cluster of control servers went live in the wild. From June to mid-July, researchers found hundreds of unique IP addresses representing compromised Chaos devices. Intermediate servers used to infect new devices have multiplied in recent months, from 39 in May to 93 in August. On Tuesday, the number reached 111.
Black Lotus observed interactions with these middleware from both embedded Linux devices and enterprise servers, including one in Europe that hosted an instance of GitLab. There are over 100 unique specimens in nature.
“The potency of the Chaos malware stems from a few factors,” the Black Lotus Labs researchers wrote in a blog post Wednesday morning. “First, it is designed to work on multiple architectures including: ARM, Intel (i386), MIPS, and PowerPC, in addition to Windows and Linux operating systems. Second, unlike large-scale ransomware distribution botnets like Emotet who exploit spam to grow, Chaos spreads through known CVEs and forced or stolen SSH keys.”
CVEs refer to the mechanism used to track specific vulnerabilities. Wednesday’s report mentions just a few, including CVE-2017-17215 and CVE-2022-30525 affecting firewalls sold by Huawei, and CVE-2022-1388, an extremely severe vulnerability in load balancers. , firewalls and network inspection equipment sold by F5. . SSH infections using password brute force and stolen keys also allow chaos to spread from machine to machine inside an infected network.
Chaos also has various features, including enumerating all devices connected to an infected network, running remote shells allowing attackers to execute commands, and loading additional modules. Combined with the ability to run on such a wide range of devices, these capabilities have led Black Lotus Labs to suspect that Chaos “is the work of a cybercriminal actor who cultivates a network of infected devices to exploit for access initial, DDoS attacks and cryptography”. mining,” the company’s researchers said.
Black Lotus Labs believes Chaos is an offshoot of Kaiji, botnet software for Linux-based AMD and i386 servers to perform DDoS attacks. Since its emergence, Chaos has gained a slew of new features, including modules for new architectures, the ability to run on Windows, and the ability to spread through vulnerability exploitation and SSH key harvesting.
Infected IP addresses indicate that Chaos infections are most heavily concentrated in Europe, with smaller hotspots in North and South America and Asia-Pacific.
Black Lotus Laboratories
Black Lotus Labs researchers wrote:
During the first weeks of September, our Chaos host emulator received several DDoS commands targeting around two dozen domains or IP addresses of organizations. Through our global telemetry, we have identified multiple DDoS attacks that coincide with the time period, IP address, and port of the attack commands we received. Attack types were typically multi-vector exploiting UDP and TCP/SYN on multiple ports, often increasing in volume over the course of several days. Entities targeted included gaming, financial services and technology, media and entertainment, and accommodation. We even observed attacks targeting DDoS-as-a-service providers and a crypto-mining exchange. Collectively, the targets covered EMEA, APAC and North America.
A gaming company was targeted by a mixed UDP, TCP, and SYN attack on port 30120. From September 1 through September 5, the organization received more than its usual traffic flow. A breakdown of traffic for the period before and during the attack period shows a flow of traffic sent to port 30120 by approximately 12,000 distinct IP addresses – although some of this traffic may indicate IP address spoofing.
Black Lotus Laboratories
A few of the targets included DDoS-as-a-service providers. One markets itself as a premier IP stressor and booter that offers “one-of-a-kind” CAPTCHA bypass and transport layer DDoS capabilities. In mid-August, our visibility revealed a massive increase in traffic approximately four times the highest volume recorded in the previous 30 days. This was followed on September 1 by an even bigger spike of more than six times the normal traffic volume.
The two most important things people can do to prevent Chaos infections are to keep all routers, servers, and other devices fully up to date and to use strong passwords and FIDO2-based multi-factor authentication whenever possible. A reminder to small business router owners everywhere: most router malware cannot survive a reboot. Consider rebooting your device every week or so. Those using SSH should always use a cryptographic key for authentication.
