An active malicious campaign is currently targeting critical Linux devices running software. Its purpose is to infect systems that run vulnerable versions of the popular TerraMaster operating system, Zend Framework (Laminas Project) or Liferay Portal with FreakOut malware, helping to develop a widespread cyber-attack campaign.
"Clicking ”unpatched Linux systems
The common reason that all three software solutions are targeted by FreakOut's current campaign is that they all have a large user base and are still vulnerable to some vulnerabilities.
The Zend Framework is a collection of professional PHP packages covering over 570 million installations. Version 3.0.0, however, has a critical bug (CVE-2021-3007) that could be exploited to achieve remote code execution.
Liferay Portal is a platform for Java developers to create services, user interfaces, customize applications, or implement ready-made ones. All open source versions of Community before 7.2.1 have a critical vulnerability (CVE-2020-7961) that allows remote execution arbitrary code.
TerraMaster is the operating system that powers the devices .. Version 4.2.06 and its predecessors suffer from remote command execution error (CVE-2020-28188, also critical severity) which allows hacker to take full control of it device.
Check Point security researchers have discovered the FreakOut attacks and say that infected Linux devices are infected with a botnet that could help develop other cyber attacks. They say the controller could use the infected machines to extract cryptocurrency, to spread sideways in a corporate network or to target other targets while representing the infringed company.
FreakOut malware is new to the market and can be used to scan ports, collect information, do network sniffing or start DDoS attacks.
The infection starts by exploiting one of the three critical vulnerabilities and continues by downloading a Python script (out.py) to the compromised computer. The intruder is trying to execute script using Python 2, which reached the end of its life in 2020.
Check Point discovered the attack on January 8, 2021, when they noticed the malicious script being downloaded from hxxp: // gxbrowser [.] Net. Researchers have since identified hundreds of attempts to obtain the code.
Source of information: bleepingcomputer.com