FortiGuard Labs is aware of a new variant of modular malware “Kaiji” targeting Windows and Linux machines and devices belonging to both consumers and enterprises in Europe. Dubbed “Chaos”, the malware connects to command and control (C2) servers and performs various activities including launching Distributed Denial of Service (DDoS) attacks and mining crypto currencies.Why is this Significant?This is significant because the Chaos malware targets both consumers and enterprises in Europe by exploiting various vulnerabilities. Infected machines will join a botnet which are then used for malicious activities such as DDoS attacks and cryptocurrency mining.What is Chaos Malware?Chaos is a Go-based modular malware for Windows and Linux and is allegedly an updated version of Kaiji malware. Chaos malware connects to C2 servers and receives remote commands as well as modules for additional functionality. According to security vendor Black Lotus Labs, Chaos is primarily used for DDoS attacks and cryptocurrency mining. It is also designed to spread to other systems through SSH and exploitation of various vulnerabilities.It is important to note that ransomware with a similar name exists (Chaos ransomware), but they are completely unrelated.What Vulnerabilities Does Chaos Exploit for Propagation?The following vulnerabilities were exploited by Chaos malware according to Black Lotus Labs:Command Execution vulnerability in Huawei HG532 Router (CVE-2017-17215)Command Injection Vulnerability in Zyxel firewalls (CVE-2022-30525)Note – that since Chaos is a modular malware and receives remote commands, it may exploit other vulnerabilities including Authentication Bypass Vulnerability in F5 BIG-IP (CVE-2022-1388).Have Vendors Released Patches for CVE-2017-17215, CVE-2022-30525 and CVE-2022-1388?Patches are available for CVE-2022-30525 and CVE-2022-1388. We are currently unaware of any vendor supplied patches for CVE-2017-17215.What is the Status of Protection?FortiGuard Labs will detect Chaos DDoS malware with the following AV signatures:Linux/Kaiji.C!trW32/Ransom_Foreign.R002C0WG222W32/PossibleThreatFortiGuard Labs provides the following IPS signatures for the vulnerabilities exploited by Chaos malware:Huawei.HG532.Remote.Code.Execution (CVE-2017-17215)ZyXEL.Firewall.ZTP.Command.Injection (CVE-2022-30525)F5.BIG-IP.iControl.REST.Authentication.Bypass (CVE-2022-1388)
Category Archives: Advisories
python-oauthlib-3.2.1-1.fc37
FEDORA-2022-5a74a5eea7
Packages in this update:
python-oauthlib-3.2.1-1.fc37
Update description:
Update spec file and sources for 3.2.1
Fixes CVE-2022-36087
lighttpd-1.4.67-1.el8
FEDORA-EPEL-2022-39cd10714f
Packages in this update:
lighttpd-1.4.67-1.el8
Update description:
1.4.67
expat-2.4.9-1.fc35
FEDORA-2022-c68d90efc3
Packages in this update:
expat-2.4.9-1.fc35
Update description:
Rebase to 2.4.9
expat-2.4.9-1.fc36
FEDORA-2022-15ec504440
Packages in this update:
expat-2.4.9-1.fc36
Update description:
Rebase to 2.4.9
php-twig3-3.4.3-1.fc37
FEDORA-2022-42aa6ee852
Packages in this update:
php-twig3-3.4.3-1.fc37
Update description:
Version 3.4.3 (2022-09-28)
Fix a security issue on filesystem loader (possibility to load a template outside a configured directory)
php-twig3-3.4.3-1.fc35
FEDORA-2022-e915614918
Packages in this update:
php-twig3-3.4.3-1.fc35
Update description:
Version 3.4.3 (2022-09-28)
Fix a security issue on filesystem loader (possibility to load a template outside a configured directory)
php-twig3-3.4.3-1.fc36
FEDORA-2022-b7dcd1cde4
Packages in this update:
php-twig3-3.4.3-1.fc36
Update description:
Version 3.4.3 (2022-09-28)
Fix a security issue on filesystem loader (possibility to load a template outside a configured directory)
expat-2.4.9-1.fc37
FEDORA-2022-3c52402aec
Packages in this update:
expat-2.4.9-1.fc37
Update description:
Rebase to 2.4.9
php-twig2-2.15.3-1.fc35
FEDORA-2022-d39b2a755b
Packages in this update:
php-twig2-2.15.3-1.fc35
Update description:
Version 2.15.3 (2022-09-28)
Fix a security issue on filesystem loader (possibility to load a template outside a configured directory)