Published in News

Chaos hits Linux and Windows machines

by on29 September 2022


Seen in the wild

A cross-platform malware has infected a wide range of Linux and Windows devices, including small office routers, FreeBSD boxes, and large enterprise servers.

Dubbed Chaos (pictured), the malware emerged on April 16, when the first cluster of control servers went live in the wild. From June through mid-July, researchers found hundreds of unique IP addresses representing compromised Chaos devices. Staging servers used to infect new devices have mushroomed in recent months, growing from 39 in May to 93 in August. As of Tuesday, the number reached 111.

Black Lotus Labs, the research arm of security firm Lumen, has observed interactions with these staging servers from both embedded Linux devices as well as enterprise servers, including one in Europe that was hosting an instance of GitLab. There are more than 100 unique samples in the wild.

"Black Lotus Labs researchers wrote in a Wednesday morning bog that the malware was nasty because it worked across several architectures, including: ARM, Intel (i386), MIPS and PowerPC—in addition to both Windows and Linux operating systems.

"Unlike largescale ransomware distribution botnets like Emotet that leverage spam to spread and grow, Chaos propagates through known CVEs and brute forced as well as stolen SSH keys."

Wednesday's report referred to only a few, including CVE-2017-17215 and CVE-2022-30525 affecting firewalls sold by Huawei, and CVE-2022-1388, an extremely severe vulnerability in load balancers, firewalls, and network inspection gear sold by F5. SSH infections using password brute-forcing and stolen keys also allow Chaos to spread from machine to machine inside an infected network.

Chaos also has various capabilities, including enumerating all devices connected to an infected network, running remote shells that allow attackers to execute commands, and loading additional modules. Combined with the ability to run on such a wide range of devices, these capabilities have lead Black Lotus Labs to suspect Chaos "is the work of a cybercriminal actor that is cultivating a network of infected devices to leverage for initial access, DDoS attacks and crypto mining," company researchers said.

Infected IP addresses indicate that Chaos infections are most heavily concentrated in Europe, with smaller hotspots in North and South America, and Asia Pacific.

 

Last modified on 30 September 2022
Rate this item
(3 votes)

Read more about: