Swiss Army Knife —
Small Office Router? FreeBSD machine? Enterprise server? Chaos infected them all.
Dan Goodin –
)
Researchers reveal a never-before-seen cross-platform malware that infects A wide range of Linux and Windows devices, including small office routers, FreeBSD machines, and large enterprise servers. Black Lotus Labs, the research arm of security firm Lumen, will The malware is called Chaos, a word that recurs in the function names, certificates, and filenames it uses. Chaos arose when the first cluster of control servers went live no later than April 16. From June to mid-July, researchers discovered hundreds of unique IP addresses representing infected Chaos devices. Temporary servers used to infect new devices have sprung up in recent months, from 39 in May to 93 in August. As of Tuesday, the number had reached 111. Black Lotus observes embedded Linux device and enterprise servers interact with these staging servers, including the European server hosting the GitLab instance. There are more than 100 unique samples in the wild. “The Chaos malware’s effectiveness stems from Several factors,” the Black Lotus Labs researchers wrote in a Wednesday morning blog post. “First, it’s designed to work across multiple architectures, including: ARM, Intel (i386), MIPS, and PowerPC — in addition to Windows and Linux operating systems. Second, unlike large ransomware distribution botnets like Emotet that use spam to spread and growth, Chaos spread via known CVEs and brute force and stolen SSH keys.”
CVE refers to the mechanism used to track a specific vulnerability. Wednesday’s report mentions just a few, including CVE-2017-17215 and CVE-2022-30525 affecting firewalls sold by Huawei, and an extremely critical vulnerability CVE- 2022-1388 . SSH infection using password brute force and key stealing also allows Chaos to spread between machines within the compromised network.
Chaos also has various Capabilities, including enumerating all devices connected to an infected network, running remote shells that allow attackers to execute commands, and load other modules. Combined with the ability to operate on such a wide range of devices, these capabilities lead Black Lotus Labs to suspect that Chaos “is the work of a cybercriminal who is cultivating a network of compromised devices to exploit initial access, DDoS attacks and crypto mining,” the company researched staff said. Black Lotus Labs believes Chaos is Kaiji’s A fork, Kaiji is a botnet software for Linux-based AMD and i386 servers used to perform DDoS attacks. Since its inception, Chaos has gained many new features, including modules for new architectures, the ability to run on Windows, and the ability to spread via exploits and SSH key harvesting. Infected IP addresses indicate the highest concentration of Chaos infections In Europe, there are smaller hotspots in the north, as well as in South America and Asia Pacific.
Over the first few weeks of September, our Chaos hosting emulator received multiple DDoS commands targeting the domains or IPs of about two dozen organizations. Using our global telemetry, we identified multiple DDoS attacks consistent with time frame, IP, and port from incoming attack commands. The attack type is usually a multi-vector attack utilizing UDP and TCP/SYN across multiple ports, often increasing the volume of the attack over several days. Target entities include gaming, financial services and technology, media and entertainment, and hosting. We have even observed attacks against DDoS-as-a-Service providers and crypto mining exchanges. Overall, the goals spanned EMEA, Asia Pacific and North America.
A game company’s goal is to pass Port 30120 for mixed UDP, TCP and SYN attacks. From September 1st to September 5th, the organization received a significant amount of traffic that exceeded its typical traffic. A breakdown of traffic before and during the attack period shows that around 12K different IPs sent a lot of traffic to port 30120 – although some of this traffic may indicate IP spoofing. 
Black Lotus LaboratorySome targets include DDoS-as-a-Service providers. A premier IP stressor and bootloader that positions itself as providing CAPTCHA bypass and “unique” transport layer DDoS capabilities. In mid-August, our visibility showed a significant uptick in traffic, roughly four times the peak traffic recorded over the past 30 days. A larger spike followed on September 1, exceeding normal traffic by six times.
enlarge
/ DDoS-as-a-service organization incoming attack volume Black Lotus Labs
