Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Botnets Target Old Vulnerability in Symantec Secure Web Gateway

New variants of the Mirai and Hoaxcalls botnets have been targeting an old remote code execution (RCE) vulnerability in legacy Symantec Secure Web Gateway versions, Palo Alto Networks reports.

New variants of the Mirai and Hoaxcalls botnets have been targeting an old remote code execution (RCE) vulnerability in legacy Symantec Secure Web Gateway versions, Palo Alto Networks reports.

The targeted vulnerability impacts Symantec Secure Web Gateway 5.0.2.8, a product that reached end-of-life (EOL) in 2015 and end-of-support-life (EOSL) in 2019. No other firmware versions appear to be affected, and Secure Web Gateway solutions such as ProxySG and Web Security Services are not impacted.

Palo Alto Networks’ security researchers initially observed Hoaxcalls targeting this RCE flaw on April 24, and said it was part of an evolution of the botnet first observed earlier that month.

When first discovered, the botnet was aiming to ensnare vulnerable Grandstream business telephone IP PBX systems and Draytek Vigor routers. Several weeks later, it was also targeting a vulnerability in Zyxel Cloud CNM SecuManager.

The updated Hoaxcalls is very similar to the initial variant, but includes support for additional commands, allowing attackers to abuse the compromised devices to proxy traffic, download updates, maintain persistence, and prevent reboots.

Hoaxcalls can launch a variety of distributed denial of service (DDoS) attacks, such as various types of HTTP request floods (CONNECTION, OPTIONS, TRACE, DELETE, PUT, POST, HEAD, and GET), along with URG, PSH, ACK, FIN, RTS, SYN, TCP, and VSE floods.

“The use of the exploit in the wild surfaced only a few days after the publication of the vulnerability details, highlighting the fact that the authors of this particular botnet have been pretty active in testing the effectiveness of new exploits as and when they are made public,” Palo Alto Networks points out.

In the first week of May, the security researchers also observed a Mirai variant exploiting the RCE vulnerability in Symantec Secure Web Gateway 5.0.2.8. Built on Mirai code, this variant features a modified version of UPX.

Advertisement. Scroll to continue reading.

“In this campaign, the samples themselves don’t contain any DDoS capabilities, but rather serve the purpose of propagation using credential brute force and exploitation of the Symantec Secure Web Gateway RCE vulnerability,” Palo Alto Networks explains.

What limits the propagation rate of the campaign is the fact that authentication is required for the successful exploitation of the Symantec Secure Web Gateway RCE, and that newer firmware releases are not vulnerable.

Related: Hoaxcalls Botnet Expands Targets List, DDoS Capabilities

Related: New Mirai Variant Delivered to Zyxel NAS Devices Via Recently Patched Flaw

Related: ‘VictoryGate’ Botnet Infected 35,000 Devices via USB Drives

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Former Barclay’s CISO Oliver Newbury has joined ransomware protection firm Halcyon as a strategic advisor

Stephanie Crowe has been appointed head of the Australian Cyber Security Centre (ACSC).

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.