[MART] - Daily Diary #369 - FreakOut Exploits Surveillance Systems to Deploy CryptoMiner

CTAS-MAT ctas-mat at appgate.com
Thu Oct 14 22:50:34 UTC 2021 

Hello,
I hope everyone is doing well!

Below is the entry for today.

10/14/2021 - Diary entry #369

In our Daily Diary #190 we covered FreakOut botnet. Created in Python, this malware has the characteristic of attacking Linux machines with specific vulnerable products that are not patched. In its toolkit, FreakOut contains several scripts to exploit known public vulnerabilities, move laterally through the network, execute remote commands and much more.

This week a new sample of FreakOut was discovered. Curiously, this version updated its toolkit, also targeting Visual Tools DVR VX16 4.2.28.0, used in surveillance systems. The exploited vulnerability, discovered in July and tracked under CVE-2021-42071, allows an attacker to execute arbitrary commands through a simple HTTP request. FreakOut scripts exploit the vulnerability to deploy a high-performance Monero (XMR) miner in the affected system.

Most of the vulnerabilities in FreakOut toolkit are really easy to exploit, generally requiring a little more than a simple HTTP request. Although Visual Tools DVR is not as common as MSOffice or other popular software, this kind of exploit allows cybercrime to profit with almost no effort. By adopting the strategy to only drop a Monero miner, and not disrupt systems with a ransomware or other similar dangerous threats, FreakOut manages to profit while staying under the radar. We expect to see newer versions of FreakOut exploiting other public disclosed vulnerabilities like CVE-2021-42071.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Duarte Domingues
Security Researcher
Appgate

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>
O: +55 19 98840 2509

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/mart/attachments/20211014/8e0e7e77/attachment.htm>

More information about the MART mailing list