Security News > 2020 > December > Wormable Gitpaste-12 Botnet Returns to Target Linux Servers, IoT Devices

Wormable Gitpaste-12 Botnet Returns to Target Linux Servers, IoT Devices
2020-12-15 03:18

A new wormable botnet that spreads via GitHub and Pastebin to install cryptocurrency miners and backdoors on target systems has returned with expanded capabilities to compromise web applications, IP cameras, and routers.

Early last month, researchers from Juniper Threat Labs documented a crypto-mining campaign called "Gitpaste-12," which used GitHub to host malicious code containing as many as 12 known attack modules that are executed via commands downloaded from a Pastebin URL. The attacks occurred during a 12-day period starting from October 15, 2020, before both the Pastebin URL and repository were shut down on October 30, 2020.

Now according to Juniper, the second wave of attacks began on November 10 using payloads from a different GitHub repository, which, among others, contains a Linux crypto-miner, a file with a list of passwords for brute-force attempts, and a local privilege escalation exploit for x86 64 Linux systems.

"The worm conducts a wide-ranging series of attacks targeting web applications, IP cameras, routers and more, comprising at least 31 known vulnerabilities - seven of which were also seen in the previous Gitpaste-12 sample - as well as attempts to compromise open Android Debug Bridge connections and existing malware backdoors," Juniper researcher Asher Langton noted in a Monday analysis.

It's worth noting that Ttint, a new variant of the Mirai botnet, was observed in October using two Tenda router zero-day vulnerabilities, including CVE-2020-10987, to spread a Remote Access Trojan capable of carrying out denial-of-service attacks, execute malicious commands, and implement a reverse shell for remote access.


News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/TXBR3yMbnqg/wormable-gitpaste-12-botnet-returns-to.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2020-07-13 CVE-2020-10987 OS Command Injection vulnerability in Tenda Ac15 Firmware 15.03.05.19
The goform/setUsbUnload endpoint of Tenda AC15 AC1900 version 15.03.05.19 allows remote attackers to execute arbitrary system commands via the deviceName POST parameter.
network
low complexity
tenda CWE-78
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Linux 11 64 2613 1617 67 4361