New variants of the Mirai and Hoaxcalls botnets have been targeting an old remote code execution (RCE) vulnerability in legacy Symantec Secure Web Gateway versions, Palo Alto Networks reports.
The targeted vulnerability impacts Symantec Secure Web Gateway 5.0.2.8, a product that reached end-of-life (EOL) in 2015 and end-of-support-life (EOSL) in 2019. No other firmware versions appear to be affected, and Secure Web Gateway solutions such as ProxySG and Web Security Services are not impacted.
Palo Alto Networks’ security researchers initially observed Hoaxcalls targeting this RCE flaw on April 24, and said it was part of an evolution of the botnet first observed earlier that month.
When first discovered, the botnet was aiming to ensnare vulnerable Grandstream business telephone IP PBX systems and Draytek Vigor routers. Several weeks later, it was also targeting a vulnerability in Zyxel Cloud CNM SecuManager.
The updated Hoaxcalls is very similar to the initial variant, but includes support for additional commands, allowing attackers to abuse the compromised devices to proxy traffic, download updates, maintain persistence, and prevent reboots.
Hoaxcalls can launch a variety of distributed denial of service (DDoS) attacks, such as various types of HTTP request floods (CONNECTION, OPTIONS, TRACE, DELETE, PUT, POST, HEAD, and GET), along with URG, PSH, ACK, FIN, RTS, SYN, TCP, and VSE floods.
“The use of the exploit in the wild surfaced only a few days after the publication of the vulnerability details, highlighting the fact that the authors of this particular botnet have been pretty active in testing the effectiveness of new exploits as and when they are made public,” Palo Alto Networks points out.
In the first week of May, the security researchers also observed a Mirai variant exploiting the RCE vulnerability in Symantec Secure Web Gateway 5.0.2.8. Built on Mirai code, this variant features a modified version of UPX.
“In this campaign, the samples themselves don’t contain any DDoS capabilities, but rather serve the purpose of propagation using credential brute force and exploitation of the Symantec Secure Web Gateway RCE vulnerability,” Palo Alto Networks explains.
What limits the propagation rate of the campaign is the fact that authentication is required for the successful exploitation of the Symantec Secure Web Gateway RCE, and that newer firmware releases are not vulnerable.
Related: Hoaxcalls Botnet Expands Targets List, DDoS Capabilities
Related: New Mirai Variant Delivered to Zyxel NAS Devices Via Recently Patched Flaw
Related: ‘VictoryGate’ Botnet Infected 35,000 Devices via USB Drives
More from Ionut Arghire
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- NCC Group Releases Open Source Tools for Developers, Pentesters
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- Apria Healthcare Notifying 2 Million People of Years-Old Data Breaches
- European Cybersecurity Firm Sekoia.io Raises $37.5 Million
- GitLab Security Update Patches Critical Vulnerability
- Android App With 50,000 Downloads in Google Play Turned Into Spyware via Update
Latest News
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- Zyxel Firewalls Hacked by Mirai Botnet
- Watch Now: Threat Detection and Incident Response Virtual Summit
- NCC Group Releases Open Source Tools for Developers, Pentesters
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
