Juniper Threat Labs recently discovered a new worm, Gitpaste-12, which uses GitHub and Pastebin and has at least 12 different attack modules available. It is dubbed Gitpaste-12 because of the usage of GitHub, Pastebin, and 12 ways to compromise the system. The malware targets Linux based x86 servers, Linux ARM, and MIPS based IoT devices.
12 different attack modules
Juniper Threat Labs detected the first 12 attacks made by the GitPaste-12 on October 15 and reported the Pastebin URL and the git repo in question. The git repo was closed on October 30. A script included in the GitPaste-12 also launches attacks against other machines to replicate and spread. Gitpaste-12 uses 11 vulnerabilities and a telnet brute forcer to spread. Known vulnerabilities include:
- CVE-2017-14135: Webadmin plugin for opendreambox
- CVE-2020-24217: HiSilicon based IPTV/H.264/H.265 video encoders
- CVE-2017-5638: Apache Struts
- CVE-2020-10987: Tenda router
- CVE-2014-8361: Miniigd SOAP service in Realtek SDK
- CVE-2020-15893: UPnP in dlink routers
- CVE-2013-5948: Asus routers
- EDB-ID: 48225: Netlink GPON Router
- EDB-ID: 40500: AVTECH IP Camera
- CVE-2019-10758: Mongo db
- CVE-2017-17215: Huawei router
Juniper Threat Labs also stated,
“No malware is good to have, but worms are particularly annoying. Their ability to spread in an automated fashion can lead to lateral spread within an organization or to your hosts attempting to infect other networks across the internet, resulting in poor reputation for your organization. Juniper Connected Security customers using SRX IDP and Juniper ATP Cloud are protected against Gitpaste-12.”