Never-before-seen Malware Has Infected Hundreds of Linux and Windows Devices
Never-before-seen malware has infected hundreds of Linux and Windows devices:
Researchers have revealed a never-before-seen piece of cross-platform malware that has infected a wide range of Linux and Windows devices, including small office routers, FreeBSD boxes, and large enterprise servers.
Black Lotus Labs, the research arm of security firm Lumen, is calling the malware Chaos, a word that repeatedly appears in function names, certificates, and file names it uses. Chaos emerged no later than April 16, when the first cluster of control servers went live in the wild. From June through mid-July, researchers found hundreds of unique IP addresses representing compromised Chaos devices. Staging servers used to infect new devices have mushroomed in recent months, growing from 39 in May to 93 in August. As of Tuesday, the number reached 111.
Black Lotus has observed interactions with these staging servers from both embedded Linux devices as well as enterprise servers, including one in Europe that was hosting an instance of GitLab. There are more than 100 unique samples in the wild.
[...] Chaos also has various capabilities, including enumerating all devices connected to an infected network, running remote shells that allow attackers to execute commands, and loading additional modules. Combined with the ability to run on such a wide range of devices, these capabilities have led Black Lotus Labs to suspect Chaos "is the work of a cybercriminal actor that is cultivating a network of infected devices to leverage for initial access, DDoS attacks and crypto mining," company researchers said.
Black Lotus Labs believes Chaos is an offshoot of Kaiji, a piece of botnet software for Linux-based AMD and i386 servers for performing DDoS attacks. Since coming into its own, Chaos has gained a host of new features, including modules for new architectures, the ability to run on Windows, and the ability to spread through vulnerability exploitation and SSH key harvesting.
Infected IP addresses indicate that Chaos infections are most heavily concentrated in Europe, with smaller hotspots in North and South America and Asia-Pacific.
(Score: 2, Insightful) by billbellum on Friday September 30 2022, @06:03AM (5 children)
I am suspicious, in that the report is trying to equate vulns of Linux and the known most vulnerable OS in the world. Should I be suspicious?
(Score: 2) by driverless on Friday September 30 2022, @06:18AM (3 children)
That's the great thing about Java, write once, malware everywhere!
(Score: 5, Insightful) by Rosco P. Coltrane on Friday September 30 2022, @08:23AM (2 children)
It's not written in Java but in go. See here [lumen.com].
Anyway, it's just a dumb SSH password brute-forcer and private key harvester. Don't enable passwords on your SSH servers, and only use passworded SSH keys on your clients, and you'll be fine. Or in other words, use good practices, as always.
(Score: 2, Insightful) by pTamok on Friday September 30 2022, @09:26AM (1 child)
Actually, don't use dumb passwords on your SSH servers, or on your passworded keys. The issue is not use of passwords per se, but use of passwords that can be brute-forced easily. Of course, convincing people to use good passwords is hard, which is why there are so many ways of trying to make it easier for people.
(Score: 2) by Freeman on Friday September 30 2022, @02:14PM
<sarcasm>But, I've always used password123 as my password! I've never had issues before!</sarcasm> I wish that was sarcasm.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 2) by janrinok on Friday September 30 2022, @10:42AM
It also includes BSDs. The interest is that it can infect all 3 different kinds of OS and numerous devices.
You should 'be suspicious' of all viruses.