The new version of Watchbog malware is able to look for vulnerable to BlueKeep Windows system, says Intezer Labs report.In the past, malware was used to infect Linux-based servers using exploits for vulnerabilities in Jira, Exim, Nexus Repository Manager 3, ThinkPHP and Solr Linux.
“Among the new Linux exploits, this version of WatchBog implements a BlueKeep RDP protocol vulnerability scanner module, which suggests that WatchBog is preparing a list of vulnerable systems to target in the future or to sell to third party vendors for profit”, — report Intezer Labs specialists.
BlueKeep affects Remote Desktop Services, formerly known as Terminal Services. This vulnerability does not require authorization or any user interaction. In other words, it is “worm-like”, that is, it allows malware to spread from computer to computer just as the WannaCry malware spread throughout the world in 2017.
The BlueKeep scanner included in WatchBog is a modified version of the scanner written in Python, designed to find remote code execution vulnerability (CVE-2019-0708) in RDP. After running on an infected device, the scanner starts checking all IP addresses from the list received from the C&C server.
When the scan is complete, Watchbog sends the list of vulnerable hosts to the C&C server. Researchers believe that intruders collect information about vulnerable systems for use in further attacks or sales to third parties.
In addition to exploits for vulnerabilities in Jira, Exim, Nexus Repository Manager 3, Solr Linux and Jenkins, experts found two modules for brute-force installations of CouchDB and Redis and remote code execution.
Previously, on GitHub was published a detailed technical analysis of BlueKeep, as well as an incomplete PoC code for attacks on systems running Windows XP.
Prevention and Response
- We recommend to update your relevant software to its latest version.
- We suggest Windows users refer to Microsoft’s customer guidance in order to mitigate the BlueKeep vulnerability.
- We suggest Linux users, who use Exim, Jira, Solr, Jenkins or Nexus Repository Manager 3, to update to the latest versions.
- We suggest Linux users, who use Redis or CouchDB, to ensure that there are no open ports that are exposed outside of trusted networks.
- We recommend Linux users who suspect that they are infected with WatchBog to check for the existence of the “/tmp/.tmplassstgggzzzqpppppp12233333” file or the “/tmp/.gooobb” file.
User Review( votes)