Swiss Army Knife —
Small Office Router? FreeBSD machine? Enterprise server? Chaos infected them all.
Dan Goodin –
CVE refers to the mechanism used to track a specific vulnerability. Wednesday’s report mentions just a few, including CVE-2017-17215 and CVE-2022-30525 affecting firewalls sold by Huawei, and an extremely critical vulnerability CVE- 2022-1388 . SSH infection using password brute force and key stealing also allows Chaos to spread between machines within the compromised network.
Chaos also has various Capabilities, including enumerating all devices connected to an infected network, running remote shells that allow attackers to execute commands, and load other modules. Combined with the ability to operate on such a wide range of devices, these capabilities lead Black Lotus Labs to suspect that Chaos “is the work of a cybercriminal who is cultivating a network of compromised devices to exploit initial access, DDoS attacks and crypto mining,” the company researched staff said. Black Lotus Labs believes Chaos is Kaiji’s A fork, Kaiji is a botnet software for Linux-based AMD and i386 servers used to perform DDoS attacks. Since its inception, Chaos has gained many new features, including modules for new architectures, the ability to run on Windows, and the ability to spread via exploits and SSH key harvesting. Infected IP addresses indicate the highest concentration of Chaos infections In Europe, there are smaller hotspots in the north, as well as in South America and Asia Pacific.
Some targets include DDoS-as-a-Service providers. A premier IP stressor and bootloader that positions itself as providing CAPTCHA bypass and “unique” transport layer DDoS capabilities. In mid-August, our visibility showed a significant uptick in traffic, roughly four times the peak traffic recorded over the past 30 days. A larger spike followed on September 1, exceeding normal traffic by six times.
/ DDoS-as-a-service organization incoming attack volume Black Lotus Labs One can do The two most important things to prevent Chaos infection are keeping all routers, servers and other devices fully updated and using strong passwords and FIDO2 based multi-factor authentication whenever possible. A reminder to small office router owners everywhere: Most router malware doesn’t survive reboots. Consider restarting your device every week or so. Users using SSH should always use encryption keys for authentication.