Security
Headlines
HeadlinesLatestCVEs

Headline

New ‘NKAbuse’ Linux Malware Uses Blockchain Technology to Spread

By Deeba Ahmed The malware, dubbed NKAbuse, uses New Kind of Network (NKN) technology, a blockchain-powered peer-to-peer network protocol to spread its infection. This is a post from HackRead.com Read the original post: New ‘NKAbuse’ Linux Malware Uses Blockchain Technology to Spread

HackRead
#vulnerability#linux#ddos#dos#apache#backdoor#botnet#amd

Cybersecurity researchers from Kaspersky’s Global Emergency Response Team (GERT) have identified that the NKAbuse malware is actively targeting devices in Colombia, Mexico, and Vietnam.

Kaspersky’s Global Emergency Response Team (GERT) has discovered a new multiplatform malware threat that uses innovative tactics to hijack victims. The malware, dubbed NKAbuse, uses New Kind of Network (NKN) technology, a blockchain-powered peer-to-peer network protocol to spread its infection.

NKAbuse is a Go-based backdoor used as a botnet to target Linux desktops and potentially IoT devices. The malware allows attackers to launch Distributed Denial of Service (DDoS) attacks or fling remote access trojans (RATs).

It is worth noting that the backdoor relies on NKN for anonymous yet reliable data exchange. For your information, NKN is an open-source protocol that allows peer-to-peer data exchange over a public blockchain with over 60,000 active nodes. It aims to provide a decentralized alternative to client-to-server methods while preserving speed and privacy.

The botnet can carry out flooding attacks using the 60,000 official nodes and links back to its C2 (command & control) servers. It features an extensive arsenal of DDoS attacks and multiple features to turn into a powerful backdoor or RAT.

The malware implant creates a structure called “Heartbeat” that communicates with the bot master regularly. It stores information about the infected host, including the victim’s PID, IP address, free memory, and current configuration.

Kaspersky researchers uncovered NKAbuse while investigating an incident targeting one of its customers in the finance sector. Further examination revealed that NKAbuse exploits an old Apache Struts 2 vulnerability (tracked as CVE-2017-5638).

The vulnerability, as reported by Hackread.com in December 2017, allows attackers to execute commands on the server using a “shell” header and Bash and then execute a command to download the initial script.

NKAbuse leverages the NKN protocol to communicate with the bot master and send/receive information. It creates a new account and multiclient to simultaneously send/receive data from multiple clients.

The NKN account is initialized with a 64-character string representing the public key and remote address. Once the client is set up, the malware establishes a handler to accept incoming messages, which contains 42 cases, each performing different actions based on the sent code.

NKN data routing diagram (Image: Kaspersky’s GERT)

Researchers observed that attackers exploited the Struts 2 flaw using a publicly available proof of concept exploit. They executed a remote shell script, determining the victim’s operating system and installing a second-stage payload. Using NKAbuse’s amd64 version, the attack achieved persistence through cron jobs.

“This particular implant appears to have been meticulously crafted for integration into a botnet, yet it can adapt to functioning as a backdoor in a specific host and its use of blockchain technology ensures both reliability and anonymity, which indicates the potential for this botnet to expand steadily over time, seemingly devoid of an identifiable central controller.”

Kaspersky’s Global Emergency Response Team (GERT)

NKAbuse has no self-propagation functionality and can target at least eight different architectures, although Linux is the priority. Successful implantation can lead to data compromise, theft, remote administration, persistence, and DDoS attacks.

For now, its operators are focusing on infecting devices in Colombia, Mexico, and Vietnam. However, researchers suspect its potential for expansion over time.

****RELATED ARTICLES****

  1. Free Download Manager Site Pushed Linux Password Stealer
  2. New XorDdos-Linked Linux RAT Krasue Targeting Telecom Firms
  3. Hamas Hackers Targeting Israelis with New BiBi-Linux Wiper Malware
  4. Kinsing Crypto Malware Hits Linux Systems via Apache ActiveMQ Flaw
  5. Looney Tunables Linux Vulnerability Exposes Millions of Systems to Attack

Related news

New NKAbuse Malware Exploits NKN Blockchain Tech for DDoS Attacks

A novel multi-platform threat called NKAbuse has been discovered using a decentralized, peer-to-peer network connectivity protocol known as NKN (short for New Kind of Network) as a communications channel. "The malware utilizes NKN technology for data exchange between peers, functioning as a potent implant, and equipped with both flooder and backdoor capabilities," Russian

New Critical RCE Vulnerability Discovered in Apache Struts 2 - Patch Now

Apache has released a security advisory warning of a critical security flaw in the Struts 2 open-source web application framework that could result in remote code execution. Tracked as CVE-2023-50164, the vulnerability is rooted in a flawed "file upload logic" that could enable unauthorized path traversal and could be exploited under the circumstances to upload a malicious file

Cyber Group 'Gold Melody' Selling Compromised Access to Ransomware Attackers

A financially motivated threat actor has been outed as an initial access broker (IAB) that sells access to compromised organizations for other adversaries to conduct follow-on attacks such as ransomware. SecureWorks Counter Threat Unit (CTU) has dubbed the e-crime group Gold Melody, which is also known by the names Prophet Spider (CrowdStrike) and UNC961 (Mandiant). "This financially motivated

AppSec Playbook 2023: Study of 829M Attacks on 1,400 Websites

The total number of 61,000 open vulnerabilities, including 1,700 critical ones that have been open for 180+ days, exposes businesses to potential attacks.

CVE-2022-26482: Security Center

An issue was discovered in Poly EagleEye Director II before 2.2.2.1. os.system command injection can be achieved by an admin.

CVE-2022-29855: Security Advisories

Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.

CVE-2022-29855: Security Advisories

Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.

CVE-2017-3636: Oracle Critical Patch Update Advisory - July 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.56 and earlier and 5.6.36 and earlier. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data as well as unauthorized read access to a subset of MySQL Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.0 Base Score 5.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

CVE-2017-3600: Oracle Critical Patch Update Advisory - April 2017

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. Note: CVE-2017-3600 is equivalent to CVE-2016-5483. CVSS 3.0 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).