The FreakOut botnet attacks VisualTools digital video surveillance systems using an exploit known since mid-summer. The vulnerability he is exploiting has not yet received a CVE index.
The FreakOut botnet, also known as Necro and N3Cr0m0rPh, has targeted Visual Tools DVRs used in video surveillance systems.
Juniper Threat Labs discovered that the botnet began using an experimental exploit for the vulnerability in VTDVX16 22.214.171.124 to load Monero crypto miners into these devices.
The FreakOut / Necro botnet appeared on the radars of security experts in November 2020. It was originally created for DDoS attacks and criminal cryptocurrency mining. Subsequently, its functionality has significantly expanded. It can install a rootkit on Windows, mask its infrastructure using a domain name generation algorithm, spread using exploits or brute force, and infect HTML, JS, PHP files. From recent versions, the SMB scanner, which was used in the spring of 2021, disappeared, and the static address of the control server was changed to a dynamic one.
The main botnet script is written in Python and runs on Windows and Linux. The botnet precisely scans ports 22, 80, 443, 8081, 7001, and if they are available, it deploys the attack.
In addition to DVRVisualTools, the current version of FreakOut is capable of attacking a number of different devices using exploits for vulnerabilities such as CVE-2020-15568 (in TerraMasterTOS up to version 4.1.29), CVE-2021-2900 (affects GenexisPlatinum 4410 2.1 P4410-V2-1.28), CVE-2020-25494 (affects XinuosOpenserverv5 andv6), CVE-2020-28188 (in TerraMasterTOS up to version 4.2.06), and CVE-2019-12725 (found in Zeroshell 3.9.0).
The vulnerability in VisualToolsDVR has not yet been assigned. An exploit for it, however, has been available since July 2021, and this is what attackers use.
In June 2021, experts noted that the botnet used Python versions of the EternalBlue (CVE-2017-0144) and EternalRomance (SMU-2018-0147) exploits.
In addition, this version of the botnet is capable of carrying out DDoS attacks using the TORSOCKS proxy. Also, a Monero cryptocurrency generator is installed on the attacked devices.
“Digital video recorders are a pretty interesting target for the creators of IoT botnets,” says Mikhail Zaitsev, an information security expert at SEQ. – They are well suited for criminal mining of cryptocurrencies and for launching DDoS attacks since they often use a communication channel with high bandwidth. And, like many other IoT devices, DVRs often have problems with security and firmware updates, so some pretty old exploits work with them. This is observed in this case. ”
Catch up on more articles here
Follow us on Twitter here