Researchers have unveiled a never-before-seen piece of cross-platform malware that has infected a wide variety of Linux and Windows devices, including small office routers, FreeBSD boxes and enterprise servers.
Black Lotus Labs, the research arm of security firm Lumen, calls the malware Chaos, a word that appears repeatedly in function names, certificates and file names it uses. Chaos ensued no later than April 16, when the first cluster of control servers went live in the wild. From June to mid-July, researchers found hundreds of unique IP addresses representing compromised Chaos devices. Staging servers used to infect new devices have mushroomed in recent months, from 39 in May to 93 in August. Tuesday the number stood at 111.
Black Lotus has observed interactions with these staging servers from both embedded Linux devices and enterprise servers, including one in Europe that hosted an instance of GitLab. There are over 100 unique monsters in the wild.
“The potential of the Chaos malware stems from a few factors,” Black Lotus Labs researchers wrote in a blog post Wednesday morning. “First, it is designed to work in a variety of architectures, including: ARM, Intel (i386), MIPS, and PowerPC, in addition to both Windows and Linux operating systems. Second, unlike large-scale ransomware distribution botnets like Emotet that Using spam to spread and grow, Chaos spreads through known CVEs and brutally forced and stolen SSH keys.”
CVEs refer to the mechanism used to detect specific vulnerabilities. Wednesday’s report pointed to just a few, including CVE-2017-17215 and CVE-2022-30525 that affect firewalls sold by Huawei, and CVE-2022-1388, an extremely serious vulnerability in load balancers, firewalls and network inspection equipment sold by F5 . SSH infections that use brute-forcing of passwords and stolen keys also allow Chaos to spread from machine to machine within an infected network.
Chaos also has several capabilities, including listing all devices connected to an infected network, running remote shells that allow attackers to execute commands, and loading additional modules. Combined with the ability to run on such a wide range of devices, these capabilities have led Black Lotus Labs to suspect that Chaos is “the work of a cybercriminal who cultivates a network of infected devices to use for initial access, DDoS.” attacks and cryptography. mining,” the company’s researchers said.
Black Lotus Labs believes that Chaos is an offshoot of Kaiji, a piece of botnet software for Linux-based AMD and i386 servers for carrying out DDoS attacks. Since it came into its own, Chaos has gained a host of new features, including modules for new architectures, the ability to run on Windows, and the ability to propagate by exploiting vulnerabilities and harvesting SSH keys.
Infected IP addresses indicate that Chaos infections are most concentrated in Europe, with smaller hotspots in the Americas and Asia Pacific.
Researchers at Black Lotus Labs wrote:
In the first few weeks of September, our Chaos host emulator received multiple DDoS commands targeting about two dozen domains or IPs of organizations. Using our global telemetry, we identified multiple DDoS attacks that coincided with the timeframe, IP address, and port of the attack commands we received. Attack types were generally multi-vector using UDP and TCP/SYN across multiple ports, often increasing in volume over several days. Targeted entities included gaming, financial services and technology, media and entertainment and hosting. We even observed attacks targeting DDoS-as-a-service providers and a crypto mining exchange. Collectively, the targets spanned EMEA, APAC and North America.
One gaming company was the target of a mixed UDP, TCP, and SYN attack over port 30120. From September 1 to September 5, the organization received a flow of traffic above normal volume. A breakdown of the traffic for the time frame before and during the attack period shows a flow of traffic sent to port 30120 by approximately 12K different IPs, although some of that traffic may indicate IP spoofing.
Some of the targets were DDoS-as-a-service providers. One markets itself as a premier IP stressor and booter that provides CAPTCHA bypass and “unique” DDoS capabilities for the transport layer. In mid-August, our visibility revealed a massive increase in traffic, about four times the highest volume recorded in the past 30 days. This was followed on September 1 by an even larger peak of more than six times normal traffic volume.
The two most important things people can do to prevent Chaos infections are to keep all routers, servers and other devices completely up to date and use strong passwords and FIDO2-based multi-factor authentication whenever possible. A reminder to small office router owners everywhere: Most router malware cannot survive a reboot. Consider rebooting your device every week or so. Those who use SSH should always use a cryptographic key for authentication.