Researchers discovered a never-before-seen cross-platform malware variant that infected various Linux and Windows systems, including tiny office routers, FreeBSD machines and huge business servers.

Black Lotus Labs, the research branch of security firm Lumen, named the malware ‘Chaos’, a term that constantly appears in the malware’s file names and certificates. The first batch of Chaos control servers went live on April 16.

Researchers discovered hundreds of IP addresses indicating hacked Chaos devices between June and mid-July. The number of staging servers deployed to infect new devices increased from 39 in May to 93 in August. The total has risen to 111 as of Tuesday.

Why is Chaos so effective?

Interactions with the staging servers have been monitored by Black Lotus from both embedded Linux devices and business servers, including one located in Europe hosting a GitLab instance. There are about 100 distinct samples that have been found in the wild.

In a blog post published on Wednesday, Black Lotus Labs researchers stated that Chaos’ effectiveness originates from a few aspects. For starters, it’s intended to be compatible with a variety of architectures, notably ARM, Intel (i386), MIPS and PowerPC, as well as Windows and Linux operating systems.

Secondly, unlike large-scale ransomware distribution botnets like Emotet, which use spam to spread and flourish, Chaos spreads using known stolen SSH keys, CVEs and brute force attacks.

Update, update, update

The stats of infected IP addresses show that Chaos infections are mainly concentrated in Europe, with minor hotspots in North America, South America and the Asia-Pacific region.

The two most critical measures organizations can take to protect themselves from Chaos infestations are updating routers, servers, and other equipment, and using secure passwords and FIDO2-based authentication systems wherever possible.

A gentle reminder to all small office router owners: most router viruses cannot survive a reboot. Consider rebooting your devices once or twice a week. For authentication, SSH users should always utilize a cryptographic key.

Tip: Cybercriminals hijack VMware ESXi with never-before-seen technique