The worm uses GitHub and Pastebin to download its malicious code (Dropper) – hence its name. GitHub and Pastebin are two well-known websites that usually are not blocked by enterprises, and their connections are encrypted.
GitPaste-12 is a new malware worm that targets Linux based x86 servers, and Linux ARM and MIPS based IoT devices using 12 different attack vectors (and possibly more under development). The worm uses GitHub and Pastebin to download its malicious code (Dropper) – hence its name. GitHub and Pastebin are two well-known websites that usually are not blocked by enterprises, and their connections are encrypted.
GitPaste-12, discovered by Juniper Threat Labs researchers, has a very low detection rate due to its capability to mimic processes and prevent administrators from collecting information about running processes. It is designed to attack cloud infrastructures and to mine cryptocurrency. After compromising a device, the worm attacks cloud infrastructures, mines cryptocurrency, and spreads itself to additional connected devices using the same 12 attack vectors.
Technical analysis
The first phase of the attack is the initial system compromise: The malware’s various attack modules include 11 previously-disclosed vulnerabilities such as the Apache Struts (CVE-2017-5638) vulnerability that led to the Equifax massive breach affecting data of 143 million Americans; a web-based MongoDB admin interface vulnerability CVE-2019-10758; and a widely-exploited vulnerability in a Webadmin plugin for OpenDreambox (CVE-2017-14135) – a vulnerability that impacted 32% of companies globally.
Full list of gitpaste-12 known vulnerabilities
Vulnerability | Remediation |
---|---|
Apache Struts (CVE-2017-5638) | Upgrade to Apache Struts 2.3.32 / 2.5.10.1 or later |
ASUS RT (CVE-2013-5948) | N/A |
Mongo-express (CVE-2019-10758) | Upgrade mongo-express to version 0.54.0 or higher. |
Tenda AC15 AC1900 routers (CVE-2020-10987) | No response from the vendor. |
Webadmin plugin for OpenDreambox (CVE-2017-14135) | Update your IPS in your Security Gateway product. |
HiSilicon IPTV/H.264/H.265 video encoders (CVE-2020-24217) | Upon vendor’s remediation process |
Realtek rtl81xx SDK | No response from the vendor. restrict interaction with the service to trusted machines using firewall rules/whitelisting etc. |
D-Link DIR-816L devices | Product reached “End of Life” |
Netlink GPON Router 1.0.11 (EDB-ID:48225) | N/A |
AVTECH IP Camera, NVR, and DVR Devices (EDB-ID:40500) | N/A |
Huawei HG532 | 1. Configure the built-in firewall function. 2. Change the default password. 3. Deploy a firewall at the carrier side. 4. The customers can deploy Huawei Next Generation Firewall or data center firewalls, and upgrade the IPS signature database to the latest version IPS_H20011000_2017120100 released on December 1, 2017 to detect and defend against this vulnerability exploits initiated from the Internet. |
In addition to the 11 known vulnerabilities, Gitpaste-12 also spreads itself via telnet brute force attacks. After a system is compromised, a main shell script is uploaded to the victim’s machine through Pastebin.com, which immediately starts to download and execute other components.
In its next step, by running a script called Shadu1, the malware strips the system of its defenses, including firewall rules, selinux, apparmor, monitoring software and cloud security agents.
Some of the commands and hostnames in the script reveal that Gitpaste-12 is designed to attack cloud infrastructure computing provided by Alibaba Cloud and Tencent.
Another capability of the malware is its ability to run a cryptominer of Monero cryptocurrency.
“The Gitpaste-12 also prevents administrators from collecting information about running processes by intercepting ‘readdir’ system calls and skipping directories for processes like tcpdump, sudo, openssl, etc. in ‘/proc’,” said researchers. (The ‘/proc’ directory in Linux contains information about running processes. It is used, for example, by the ‘ps’ command to expose information.)
Finally, the malware will randomly choose /8 CIDR for attack and will try to replicate itself in all addresses within that range. Another version of the script also opens ports 30004 (TCP) and 30005 (bidirectional SOAP/HTTP-based protocol) for reverse shell commands.
Conclusions
Juniper’s researchers said they reported the Pastebin URL, as well as the Git repo that downloads malicious scripts for the malware. The Git repo was closed on Oct. 30, 2020.
The number of IoT cyberattacks is on the rise, and attacks are getting more complicated and easier to spread. IoT devices are still the low-hanging fruits for cyberattacks for several reasons, such as human errors stemming from the need for fast development and delivery, R&D and 3rd-party cooperation, the usage of open source components, infrequent updates, a product’s End of Life/End of Service, and budget issues.
GitPaste-12 is malware that ultimately “drops” a malicious program into the device and changes its behavior. When the device’s resources and its availability of updates are limited, the device must be sealed from unauthorized code modification before it leaves the manufacturer – both at the memory level (in-memory) and at the application level.
Karamba’s XGuard suite would have prevented the GitPaste-12 attack, by blocking the malware from uploading the malicious code to the device using XGuard’s automated application whitelisting.
Want to learn more from one of our team? Click here.