What’s Old is New Again

A large amount of the cyberattack coverage for a while now has gone to ransomware and related attacks, often infecting through a social engineering, cast-netting, or spear phishing attack.  What we don’t see written up quite as often are application or OS attacks that infect systems through some kind of vulnerability in the software.  It’s not that they don’t happen.  It’s just that high profile ransomware and compound ransomware + extortion attacks tend to be higher value and are more likely to grab the headlines.

The recently revealed FreakOut botnet is interesting for several reasons.  And by interesting, I mean things we’ve seen before but don’t hear as much about.

May You Live In Interesting Times

Unlike the ransomware and RATs (Remote Access Trojan) that gets in through a drive-by web exploit or some kind of email vector, it spreads by leveraging recently revealed application vulnerabilities running on Linux systems.  While Linux itself is robust and can be reasonably secure, with a history of rapid patches when OS level vulnerabilities crop up, the applications that run on top of it don’t always have the advantage of rapid patches coming from an engaged developer community.

This is a common theme.  It happens on other operating systems and cloud platforms too.  In fact, most Cloud platforms make a point of putting the responsibility for Application Security onto the customer.  They do a fine job of keeping the platform secure, but it’s up to you to keep your apps secure.  Which is exactly the case here.

Versatility Is Nothing New

Second point is the versatility, though, again, this isn’t anything unusual for a node on a botnet.  We’ve seen capabilities like this since the late 90’s and early 00’s.  Though admittedly without the coin miner capabilities, though to be fair, that wasn’t a thing in the late 90’s and early 00’s.  What was a thing is more or less every other capability ascribed to the FreakOut botnet malware.  Local exploitation and scanning? Check.  DDoS and other attack capabilities?  Check.  The ability to infect other hosts?  Check.  Persistence?  Packet sniffer? Fingerprinting? All check.

None of these are new behaviors, which is actually one of the points that makes a bot like this easier to identify and deal with.

Anyone Remember “ASL plz?”

The thing that caught my eye is the command and control system the author chose for this FreakOut botnet – Internet Relay Chat.  IRC for botnet control is old school, like 90’s old school.  So what’s old really is new again.  Not that IRC for C&C ever really went away.  You just don’t see it talked about as much in the security press anymore.

From our perspective in Cybersecurity, botnets like this one are reasonably straightforward to defend against.  The attack is coming in through known vulnerabilities which can be identified through traffic analysis even if the exploit is too new to have a patch available.  It’s common to have an identifier for the Intrusion Detection System (IDS) very quickly after a new exploit’s revealed.

If the malware does get in, the bot’s behaviors are easy to identify, as is the C&C traffic.  After all, even if they change the domain name they’re using, IRC protocol traffic is distinct and, honestly, should only be seen coming from a server in very specific circumstances – like when it is and IRC server.

We Know How To Identify This

This is one of the places where security analytics can highlight an infection early in the cycle so automated incident response can nip it in the bud, and the Security Operations team can dig into the details to see what’s going on.  Here, the analytics easily identifies the unusual behaviors that have no place on a server and make the attack stand out.  And it’s not just the server behavior, or behavior on the server.  Traffic analysis can highlight the bot’s lateral movement efforts, scanning, or any of a number of other things you shouldn’t be seeing.  DNS can be a major advantage here, as security intelligence feeds can include suspect domains and, again, the security analytics platform can flag unusual DNS requests.  This goes double when an attacker is using some kind of programmatically generated domain name that reads like the cat walked across the keyboard.

Currently, the FreakOut botnet is only infesting a small number of systems and there’s a good chance it will stay that way.  Patches will come out and be installed, and we can set up our defenses to stop the spread.  The bottom line is that what’s old has become new again.  But in some ways, that makes our job easier, as we have the tools and techniques that can recognize and react to these old-school behaviors and stop them before they get out of hand.