Rewterz Threat Advisory – CVE-2020-12114 – Linux Kernel Denial of Service Vulnerability
May 6, 2020Rewterz Threat Alert – REvil ransomware version 2.2
May 6, 2020Rewterz Threat Advisory – CVE-2020-12114 – Linux Kernel Denial of Service Vulnerability
May 6, 2020Rewterz Threat Alert – REvil ransomware version 2.2
May 6, 2020Severity
High
Analysis Summary
A new Chinese malware, named Kaiji, that is brute forcing servers and IoT devices. Exclusively spread via SSH brute forcing, Kaiji targets only the root user in order to obtain access to devices and servers. Relying on the root user is necessary as some of the options available to threat actors include DDoS, SSH brute forcer for spreading, and another SSH spreader for hijacking known host to which the server has connected in the past. Upon being executed, the malware copies itself, launches a second instance which starts the malicious operations with each operation using its own goroutine. C2 servers are encrypted within the code and only decrypted after a chain of three encryption schemes. Another C2 is encoded in base64. There are four C2 server hostnames within the code, however, two resolved to localhost. Commands fetched from the main doTask include: DDoS instructions, SSH brute force instructions, run shell commands, replace C2 servers, and delete itself and remove persistence. The DDoS operations have several options for carrying out that attack. |
Impact
- Brute force
- Run shell commands
Indicators of Compromise
SHA-256
4e8d4338cd3b20cb027a8daf108c654c10843e549c3f3da6646ac2bb8ffbe24d
9198853b8713560503a4b76d9b854722183a94f6e9b2a46c06cd2865ced329f7
98aee62701d3a8a75aa19028437bc2d1156eb9bfc08661c25db5c2e26e364dca
0ed0a9b9ce741934f8c7368cdf3499b2b60d866f7cc7669f65d0783f3d7e98f7
f4a64ab3ffc0b4a94fd07a55565f24915b7a1aaec58454df5e47d8f8a2eec22a
9f090a241eec74a69e06a5ffed876c7a37a2ff31e171924673b6bb5f1552814c
370efd28a8c7ca50275957b47774d753aabb6d7c504f0b81a90c7f96c591ae97
357acbacdb9069b8484f4fdead1aa946e2eb4a505583058f91f40903569fe3f3
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Check for IOCs in your existing environment.