New variants of the Mirai and Hoaxcalls botnets have been targeting an old remote code execution (RCE) vulnerability in legacy Symantec Secure Web Gateway versions, Palo Alto Networks reports.
The targeted vulnerability impacts Symantec Secure Web Gateway 188.8.131.52, a product that reached end-of-life (EOL) in 2015 and end-of-support-life (EOSL) in 2019. No other firmware versions appear to be affected, and Secure Web Gateway solutions such as ProxySG and Web Security Services are not impacted.
Palo Alto Networks’ security researchers initially observed Hoaxcalls targeting this RCE flaw on April 24, and said it was part of an evolution of the botnet first observed earlier that month.
When first discovered, the botnet was aiming to ensnare vulnerable Grandstream business telephone IP PBX systems and Draytek Vigor routers. Several weeks later, it was also targeting a vulnerability in Zyxel Cloud CNM SecuManager.
The updated Hoaxcalls is very similar to the initial variant, but includes support for additional commands, allowing attackers to abuse the compromised devices to proxy traffic, download updates, maintain persistence, and prevent reboots.
Hoaxcalls can launch a variety of distributed denial of service (DDoS) attacks, such as various types of HTTP request floods (CONNECTION, OPTIONS, TRACE, DELETE, PUT, POST, HEAD, and GET), along with URG, PSH, ACK, FIN, RTS, SYN, TCP, and VSE floods.
“The use of the exploit in the wild surfaced only a few days after the publication of the vulnerability details, highlighting the fact that the authors of this particular botnet have been pretty active in testing the effectiveness of new exploits as and when they are made public,” Palo Alto Networks points out.
In the first week of May, the security researchers also observed a Mirai variant exploiting the RCE vulnerability in Symantec Secure Web Gateway 184.108.40.206. Built on Mirai code, this variant features a modified version of UPX.
“In this campaign, the samples themselves don’t contain any DDoS capabilities, but rather serve the purpose of propagation using credential brute force and exploitation of the Symantec Secure Web Gateway RCE vulnerability,” Palo Alto Networks explains.
What limits the propagation rate of the campaign is the fact that authentication is required for the successful exploitation of the Symantec Secure Web Gateway RCE, and that newer firmware releases are not vulnerable.
Related: Hoaxcalls Botnet Expands Targets List, DDoS Capabilities
Related: New Mirai Variant Delivered to Zyxel NAS Devices Via Recently Patched Flaw
Related: ‘VictoryGate’ Botnet Infected 35,000 Devices via USB Drives