Malware

Hoaxcalls Botnet expands the target list and adds new DDoS capabilities

The Hoaxcalls IoT botnet expanded the list of targeted devices and has added new distributed denial of service (DDoS) capabilities.

DDoS protection services provider Radware warns the Hoaxcalls Internet of Things (IoT) botnet has expanded the list of targeted devices, the experts also noticed that the operators implemented new distributed denial of service (DDoS) capabilities.

The Hoaxcalls was first spotted in April by researchers from Palo Alto Networks, it borrows the code from Tsunami and Gafgyt botnets and it is targeting CVE-2020-5722 and CVE-2020-8515 flaws respectively affecting Grandstream UCM6200 series devices and Draytek Vigor routers.

Both vulnerabilities have been rated as critical severity (i.e CVSS v3.1 score of 9.8 out of 10) because they are easy to exploit.

The botnet was initially designed to launch DDoS attacks using UDP, DNS and HEX floods.

Now security researchers from Radware reported having discovered a new version of the Hoaxcalls botnet that is targeting an unpatched issue in the ZyXEL Cloud CNM SecuManager. Experts also noticed that the new variant implements 16 new DDoS capabilities.

“On April 20th, 2020, Radware Researchers discovered a new variant of the Hoaxcalls Botnet spreading via an unpatched vulnerability impacting ZyXEL Cloud CNM SecuManager.” reads the report published by Radware. “The series of vulnerabilities impacting ZyXEL were published in full disclosure by Pierre Kim on March 9th, 2020. In addition to a new vector of propagation, the Hoaxcall Botnet also added 16 DDoS attack vectors in the new sample.”

The campaigns observed by Radware employed a number of variants
using different combinations of propagation exploits and DDoS attack vectors. Experts speculate that the threat actor behind these campaigns focused on finding and leveraging new exploits to build a DDoS botnet.

On April 20, experts uncovered a powerful variant of the botnet that was spreading from a single server, they also revealed that the number of hosting servers now exceeds 75.

“A significant increase in attack capabilities compared to the previous sample. Samples discovered by Radware can be found on URLhaus. This specific variant has only been seen propagating via the GrandStream UCM SQL injection vulnerability CVE-2020-5722. In the first 48 hours of discovery, our sensors recorded 15 unique IP addresses spreading malware from a server hosted at 176.123.3.96. Today the number of malware hosting servers has grown to over 75.” continues the report. “Upon initial inspection, the sample appeared to be related to Tsunami, but when reanalyzed at a later date, the sample returned a closer relation to Hoaxcalls.”

The latest variant discovered by the experts and tracked as XTC expands the list of targeted devices by including the exploit for the issue in the ZyXEL Cloud CNM SecuManager.

“The campaigns performed by the actor or group behind XTC and Hoaxcalls include several variants using different combinations of propagation exploits and DDoS attack vectors.” Radware concludes. “It is our opinion that the group behind this campaign is dedicated to finding and leveraging new exploits for the purpose of building a botnet that can be leveraged for large scale DDoS attacks,”

Please give me your vote for European Cybersecurity Blogger Awards – VOTE FOR YOUR WINNERS
https://docs.google.com/forms/d/e/1FAIpQLSe8AkYMfAAwJ4JZzYRm8GfsJCDON8q83C9_wu5u10sNAt_CcA/viewform

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Hoaxcalls, IoT botnet)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

22 mins ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

12 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

16 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

21 hours ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

1 day ago

This website uses cookies.