Category Archives: Cyber Crime

Breaking News, Cyber Crime, Hacking, Malware

New ShellBot bot targets poorly managed Linux SSH Servers

New ShellBot DDoS bot malware, aka PerlBot, is targeting poorly managed Linux SSH servers, ASEC researchers warn.

AhnLab Security Emergency response Center (ASEC) discovered a new variant of the ShellBot malware that was employed in a campaign that targets poorly managed Linux SSH servers.

The ShellBot, also known as PerlBot, is a Perl-based DDoS bot that uses IRC protocol for C2 communications.

The ShellBot performs SSH bruteforce attacks on servers that have port 22 open, it uses a dictionary containing a list of known SSH credentials.

“The ShellBot malware strains that are going to be covered in this post are believed to have been installed after threat actors used account credentials that have been obtained through the use of scanners and SSH BruteForce malware on target systems.” reads the ASEC’s report. “After scanning systems that have operational port 22s, threat actors search for systems where the SSH service is active and uses a list of commonly used SSH account credentials to initiate their dictionary attack.”

Below is a list of the account credentials used by ShellBot operators to compromise the target servers:

UserPassword
deploypassword
hadoophadoop
oracleoracle
root11111
rootPassw0rd
ttxttx2011
ubntubnt

The researchers categorized the ShellBot into three different groups since threat actors can create their own versions: LiGhT’s Modded perlbot v2, DDoS PBot v2.0, and PowerBots (C) GohacK.

LiGhT’s Modded perlbot v2 and DDoS PBot v2.0 supports multiple DDoS attack commands using HTTP, TCP, and UDP protocols. The PowerBots (C) GohacK supports backdoor features, including reverse shell and file downloading capabilities.

The researchers recommend using strong passwords for admin accounts and changing them periodically to protect the Linux server from brute force attacks and dictionary attacks. They also recommend keeping the servers up to date and using security programs.

“If ShellBot is installed, Linux servers can be used as DDoS Bots for DDoS attacks against specific targets after receiving a command from the threat actor. Moreover, the threat actor could use various other backdoor features to install additional malware or launch different types of attacks from the compromised server.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ShellBot)

Breaking News, Cyber Crime, Data Breach

Ferrari confirms data breach after receiving a ransom demand from an unnamed extortion group

Ferrari disclosed a data breach after receiving a ransom demand from an unnamed extortion group that gained access to some of its IT systems.

Ferrari disclosed a data breach after it received a ransom demand from an unnamed extortion group that breached its IT systems. The threat actor claims to have stolen certain client details. The company immediately launched an investigation into the incident with the support of a third-party cybersecurity firm and informed relevant authorities.

“Ferrari N.V. (NYSE/EXM: RACE) (“Ferrari”) announces that Ferrari S.p.A., its wholly-owned Italian subsidiary, was recently contacted by a threat actor with a ransom demand related to certain client contact details.” reads the noticed published by the luxury car maker. “Upon receipt of the ransom demand, we immediately started an investigation in collaboration with a leading global third-party cybersecurity firm. In addition, we informed the relevant authorities and are confident they will investigate to the full extent of the law.

The threat actor had access to a limited number of systems in our IT environment. According to the company the exposed data include customers’ names, addresses, email addresses, and telephone numbers. Financial data, such as payment details and, bank account info was not accessed by the attackers.

“As a policy, Ferrari will not be held to ransom as paying such demands funds criminal activity and enables threat actors to perpetuate their attacks.” continues the statement. “Instead, we believed the best course of action was to inform our clients and thus we have notified our customers of the potential data exposure and the nature of the incident.”

In October 2022, the Italian luxury sports car manufacturer confirmed the availability of internal documents online, but said it has no evidence of cyber attack.

The RansomEXX ransomware group claimed to have stolen 6.99GB of data, including internal documents, datasheets, repair manuals, etc.

At the time of this writing, the statement published by the company suggests that the two events are not linked.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Ferrari)

Breaking News, Cyber Crime, Digital ID, Hacking

Crooks stole more than $1.5M worth of Bitcoin from General Bytes ATMs

Cryptocurrency ATM maker General Bytes suffered a security breach over the weekend, the hackers stole $1.5M worth of cryptocurrency.

Cryptocurrency ATM manufacturers General Bytes suffered a security incident that resulted in the theft of $1.5M worth of cryptocurrency. GENERAL BYTES is the world’s largest Bitcoin, Blockchain, and Cryptocurrency ATM manufacturer.

The company revealed that the threat actors exploited a zero-day vulnerability, tracked as BATM-4780, that resides in the master service interface that Bitcoin ATMs use to upload videos. Once exploited the flaw, the remote attackers uploaded a JavaScript script and executed it with ‘batm’ user privileges.

“The attacker identified a security vulnerability in the master service interface used by Bitcoin ATMs to upload videos to server.” reported the Security Incident notice published by the company.

“The attacker scanned the Digital Ocean cloud hosting IP address space and identified running CAS services on ports 7741, including the General Bytes Cloud service and other GB ATM operators running their servers on Digital Ocean (our recommended cloud hosting provider). Using this security vulnerability, attacker uploaded his own application directly to application server used by admin interface. Application server was by default configured to start applications in its deployment folder.”

Once executed the uploaded script the attackers gained access to the database and were able to read and decrypt API keys used to access funds in hot wallets and exchanges.

The attackers were able to send funds from hot wallets and download user names and password hashes. The hackers were also able to turn off the two-factor authentication (2FA).

The threat actors also gained access to terminal event logs and scan for any instance where customers scanned private key at the ATM.

The company provided information on how to secure GB ATM servers (CAS) and recommends all its customers to implement the recommended measures.

“Please keep your CAS behind a firewall and VPN. Terminals should also connect to CAS via VPN. With VPN/Firewall attackers from open internet cannot access your server and exploit it. If your server was breached please reinstall the whole server including operation system.” continues the notice. “Additionally consider your all user’s passwords, and API keys to exchanges and hot wallets to be compromised. Please invalidate them and generate new keys & password. The CAS security fix is provided in two server patch releases, 20221118.48 and 20230120.44.”

The notice provides a list of crypto addresses used in the attack along with three IP addresses used by attackers.

The analysis of the wallets included in the notice revealed that the attackers stole more than $1.5 million worth of Bitcoin (56 BTC) from roughly 15 operators. Attackers also stole funds in other cryptocurrencies.

In August, threat actors exploited a zero-day vulnerability in the General Bytes Bitcoin ATM servers to steal BTC from multiple customers.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, General Bytes)

Breaking News, Cyber Crime, Hacking, Malware

Emotet is back after a three-month hiatus

The infamous Emotet malware is back after a short hiatus, threat actors are spreading it via Microsoft OneNote email attachments.

The Emotet malware returns after a three-month hiatus and threat actors are distributing it via Microsoft OneNote email attachments to avoid detection.

The Emotet banking trojan has been active at least since 2014, the botnet is operated by a threat actor tracked as TA542.

The infamous banking trojan was also used to deliver other malicious code, such as Trickbot and QBot trojans, or ransomware such as ContiProLockRyuk, and Egregor.

In April, the operators of the infamous Emotet botnet started testing new attack techniques in response to Microsoft’s move to disable Visual Basic for Applications (VBA) macros by default.

In June, Proofpoint experts spotted a new variant of the Emotet bot that uses a new module to steal credit card information stored in the Chrome web browser.

Over time, Emotet operators have enhanced their attack chain by employing multiple attack vectors to remain under the radar.

The operators remained inactive between July and November 2022. In November, Proofpoint researchers warned of the return of the Emotet malware after having observed a high-volume malspam campaign delivering payloads like IcedID and Bumblebee.

MalwareBytes researchers noticed that the new campaign was powered by the botnet Epoch 4.

“Last week, Emotet returned after a three month absence when the botnet Epoch 4 started sending out malicious emails with malicious Office macros. While the extracted attachments were inflated to several hundred megabytes, it was surprising to see that Emotet persisted in using the same attack format.” reads the post published by MalwareBytes. “One noticeable change was the use of Microsoft OneNote documents by several other criminal gangs. Now, it is Emotet’s turn to follow along.”

The OneNote file attachment poses as a fake notification stating that the document is protected. The recipient is instructed to double-click on the View button in the content of the mail causing the victims inadvertently double-click on an embedded script file instead.

Then the Windows scripting engine (wscript.exe) executes the following command:

%Temp%\OneNote\16.0\NT\0\click.wsf"

to execute a heavily obfuscated script that retrieves the Emotet binary payload from a remote server.

The malicious DLL is then executed via regsvr32.exe to install the notorious malware on the target system.

Cofense researchers also reported that Emotet malicious activity resumed on March 7, 2023, the messages detected by the company contain attached .zip files that are not password protected.

The attached .zip files deliver weaponized Office documents that download and execute the Emotet .dll.

“It is unclear how long this round of email activity will last. While an earlier round of activity in 2022 extended across multiple weeks, the last round occurred over less than two weeks in November 2022, with more than three months of inactivity on either side.” states Cofense.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

Breaking News, Cyber Crime, Hacking, Malware

Play ransomware gang hit Dutch shipping firm Royal Dirkzwager

Dutch maritime logistics company Royal Dirkzwager suffered a ransomware attack, the company was hit by the Play ransomware gang.

The Play ransomware group hit the Dutch maritime logistics company Royal Dirkzwager.

Royal Dirkzwager is specialized in optimizing shipping processes and managing maritime and logistic information flows.

The ransomware group added the company to its Tor data leak site and announced the theft of stolen private and personal confidential data, employee IDs, passports, contracts and etc.

The gang initially leaked a 5 GB archive as proof of the hack and threatens to release the full dump if the company will not pay the ransom.

Company CEO Joan Blaas said that the ransomware attack did not impact the operations of the company. He confirmed that threat actors have stolen sensitive data from its infrastructure.

“It has had a huge impact on our employees. Over the last year, because of the company’s bankruptcy, we had to let go of people and not everyone could stay. We had to move offices and now this. It’s been a very difficult time,” Company CEO Joan Blaas told The Record.

The company notified the Dutch Data Protection Authority and confirmed it is in negotiations with the ransomware group.

The Play ransomware group has been active since July 2022, the list of victims includes the City of Oakland and the Cloud services provider Rackspace.

The shipping industry is a privileged target of cybercrime organizations. In January, about 1,000 vessels have been impacted by a ransomware attack against DNV, one of the major maritime software suppliers. 

DNV GL provides solutions and services throughout the life cycle of any vessel, from design and engineering to risk assessment and ship management. The Norwegian company provides services for 13,175 vessels and mobile offshore units (MOUs) amounting to 265.4 million gross tonnes, which represents a global market share of 21%.

In February 2022, a cyber attack hit Oiltanking GmbH, a German petrol distributor that supplies Shell gas stations in the country, severely impacting its operations. According to the media, the attack also impacted the oil supplier Mabanaft GmbH. The two companies belong to the Marquard & Bahls group.

In November 2021, researchers from threat intelligence firm Intel 471 published an analysis of cybercrime underground trends online, warning that initial access brokers were offering credentials or other forms of access to shipping and logistics organizations.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Royal Dirkzwager)

Breaking News, Cyber Crime, Malware

Kaspersky released a new decryptor for Conti-based ransomware

Kaspersky released a new version of the decryptor for the Conti ransomware that is based on the previously leaked source code of the malware.

Kaspersky has published a new version of a decryption tool for the Conti ransomware based on previously leaked source code for the Conti ransomware.

In March 2022, a Ukrainian security researcher has leaked the source code from the Conti ransomware operation to protest the gang’s position on the conflict.

After the leak of the source code, an unknown ransomware group started distributing a modified version of the Conti ransomware in attacks aimed at companies and state institutions.

In late February 2023, Kaspersky researchers uncovered a new portion of leaked data published on forums and noticed the presence of 258 private keys. The leak also included source code and some pre-compiled decryptors, which allowed the researchers to release new version of the public decryptor.

“The malware variant whose keys were leaked, had been discovered by Kaspersky specialists in December 2022. This strain was used in multiple attacks against companies and state institutions.” states Kaspersky.

“The leaked private keys are located in 257 folders (only one of these folders contains two keys). Some of them contain previously generated decryptors and several ordinary files: documents, photos, etc. Presumably the latter are test files – a couple of files that the victim sends to the attackers to make sure that the files can be decrypted.”

The researchers added all 258 keys to the latest build of Kaspersky’s utility RakhniDecryptor 1.40.0.00. Users can download the decryptor from the Kaspersky’s “No Ransom” site.

 “For many consecutive years, ransomware has remained a major tool used by cybercrooks. However, because we have studied the TTPs of various ransomware gangs and found out that many of them operate in similar ways, preventing attacks becomes easier. The decryption tool against a new Conti-based modification is already available on our “No Ransom” webpage. However, we would like to emphasize that the best strategy is to strengthen defenses and stop the attackers at early stages of their intrusion, preventing ransomware deployment and minimizing the consequences of the attack,” said Fedor Sinitsyn, lead malware analyst at Kaspersky.

Below is the list of recommendations provided by the experts to protect organizations from ransomware attacks:

  • Do not expose remote desktop services (such as RDP) to public networks unless absolutely necessary and always use strong passwords for them.
  • Promptly install available patches for commercial VPN solutions providing access for remote employees and acting as gateways in your network.
  • Focus your defense strategy on detecting lateral movements and data exfiltration to the Internet. Pay special attention to the outgoing traffic to detect cybercriminals’ connections.
  • Back up data regularly. Make sure you can quickly access it in an emergency when needed. 
  • Use solutions like Kaspersky Endpoint Detection and Response Expert and Kaspersky Managed Detection and Response service which help to identify and stop the attack on early stages, before attackers reach their final goals.
  • Use the latest Threat Intelligence information to stay aware of actual TTPs used by threat actors. The Kaspersky Threat Intelligence Portal is a single point of access for Kaspersky’s TI, providing cyberattack data and insights gathered by our team for 25 years. To help businesses enable effective defenses in these turbulent times, Kaspersky has announced access to independent, continuously updated and globally sourced information on ongoing cyberattacks and threats, at no charge. Request access to this offer here.

The Conti group has been active since 2019, the FBI estimated that between 2020 and 2022 the gang breached hundreds of organizations. The FBI estimated that as of January 2022, the gang obtained $150,000,000 in ransom payments from over 1,000 victims.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Conti)

Breaking News, Cyber Crime, Hacking, Malware, Reports

US govt agencies released a joint alert on the Lockbit 3.0 ransomware

The US government released a joint advisory that provides technical details about the operation of the Lockbit 3.0 ransomware gang.

The U.S. Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing & Analysis Center (MS-ISAC) released a joint advisory that provides indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with the notorious LockBit 3.0 ransomware.

“The Federal Bureau of Investigation (FBI), CISA, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) has released a joint cybersecurity advisory (CSA), #StopRansomware: LockBit 3.0. This joint advisory details known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) that FBI investigations correlated with LockBit 3.0 ransomware as recently as March 2023.” reads the advisory published by US agencies. “LockBit 3.0 functions as an affiliate-based ransomware variant and is a continuation of LockBit 2.0 and LockBit.”

The Lockbit gang has been active since at least 2019 and today it is one of the most active ransomware groups offering a Ransomware-as-a-Service (RaaS) model.

The LockBit 3.0 ransomware (aka LockBit Black) was launched in June 2022 and is a continuation of previous versions of the ransomware, LockBit 2.0 (released in mid-2021), and LockBit.

The LockBit 3.0 ransomware is a modular malware that is more evasive than its previous versions, its shared similarities with Blackmatter and Blackcat ransomware.

“LockBit 3.0 is configured upon compilation with many different options that determine the behavior of the ransomware. Upon the actual execution of the ransomware within a victim environment, various arguments can be supplied to further modify the behavior of the ransomware. For example, LockBit 3.0 accepts additional arguments for specific operations in lateral movement and rebooting into Safe Mode (see LockBit Command Line parameters under Indicators of Compromise).” reads the joint alert

“If a LockBit affiliate does not have access to passwordless LockBit 3.0 ransomware, then a password argument is mandatory during the execution of the ransomware.”

By protecting the code with encryption, the latest LockBit version can avoid the detection of signature-based anti-malware solutions.

The ransomware doesn’t infect machines whose language settings are included in an exclusion list, which includes Romanian (Moldova), Arabic (Syria), and Tatar (Russia).

Initial attack vectors used by affiliates deploying LockBit 3.0 ransomware include remote desktop protocol (RDP) exploitation, drive-by compromise, phishing campaigns, abuse of valid accounts, and exploitation of public-facing applications.

Upon execution in the target network, the ransomware attempts to escalate privileges if they are not sufficient, terminate processes and services, delete logs, files in the recycle bin folder, and shadow copies residing on disk.

LockBit 3.0 attempts to perform lateral movement by using a preconfigured list of credentials hardcoded at compilation time or a compromised local account with elevated privileges.

Operators can also compile LockBit 3.0 for spreading via Group Policy Objects and PsExec using the Server Message Block (SMB) protocol.

  • The RaaS’s affiliates use the following tools to exfiltrate data before encrypting it:
  • Stealbit, a custom exfiltration tool used previously with LockBit 2.0;
  • publicly available file-sharing services, such as MEGA.

The affiliates have been observed using various freeware and open-source tools furing their attacks.

“These tools are used for a range of activities such as network reconnaissance, remote access and tunneling, credential dumping, and file exfiltration. Use of PowerShell and Batch scripts
are observed across most intrusions, which focus on system discovery, reconnaissance, password/credential hunting, and privilege escalation. Artifacts of professional penetration-testing tools such as Metasploit and Cobalt Strike have also been observed.” continues the report.

The alert states that LockBit 3.0 is capable of bypassing User Account Control (UAC) to execute code with elevated privileges via elevated Component Object Model (COM) Interface. It also supports a Safe Mode feature to bypass endpoint antivirus and detection.

The alert also provides mitigations and security controls to prevent and reduce the impact of the threat.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, RaaS)

Breaking News, Cyber Crime, Laws and regulations

Feds arrested Pompompurin, the alleged owner of BreachForums

U.S. law enforcement arrested this week a US citizen suspected to be Pompompurin, the notorious owner of the BreachForums cybercrime forum.

U.S. law enforcement arrested this week a US man that goes online with the moniker “Pompompurin,” the US citizen is accused to be the owner of the popular hacking forum BreachForums. 

The news of the arrest was first reported by Bloomberg, which reported that federal agents arrested Conor Brian Fitzpatrick from Peekskill, New York.

The man was arrested by the feds at his home around 4:30 p.m. Wednesday.

“Federal agents have arrested a Peekskill, New York, man they say ran the notorious dark web data-breach site “BreachForums” under the name “Pompompurin.”” reads the post published by Bloomberg. “Conor Brian Fitzpatrick was arrested by a team of investigators at his home around 4:30 p.m. Wednesday, an FBI agent said in a sworn statement filed in court the next day. Fitzpatrick is charged with a single count of conspiracy to commit access device fraud.”

In an affidavit filed with the District Court for the Southern District of New York, FBI Special Agent John Langmire said that at around 4:30 p.m. on March 15, 2023, he led a team of that made a probable cause arrest of Conor Brian Fitzpatrick in Peekskill, NY.

“When I arrested the defendant on March 15, 2023, he stated to me in substance and in part that: a) his name was Conor Brian Fitzpatrick; b) he used the alias ‘pompompurin/’ and c) he was the owner and administrator of ‘BreachForums’ the data breach website referenced in the Complaint,” Langmire wrote.

According to the Westchester News12 website, the agents spent hours inside and outside of the suspect’s home, they were seen removing several bags of evidence from the house.

The man has been charged with soliciting individuals with the purpose of selling unauthorized access devices.

Fitzpatrick was released on a $300,000 bond signed by his parents, he is scheduled to appear before the District Court for the Eastern District of Virginia on March 24, 2023.

The defendant must: submit to supervision by and report for supervision to the PRETRIAL SERVICES As Directed; he was ordered to surrender any passport.

The man has been restricted from contacting his co-conspirators, getting medical or psychiatric treatment, and using unlawfully narcotic drugs or other controlled substances unless prescribed by a licensed medical practitioner.

The BreachForums hacking forum was launched in 2022 after the law enforcement authorities seized RaidForums as a result of Operation TOURNIQUET.

pompompurin always confirmed that he was ‘not affiliated with RaidForums in any capacity,’

The law enforcement authorities have yet to shut down the website, another admin of the forum that goes online with the alias “Baphomet” announced that he is taking the control of the platform.

Baphomet added that he believes that the feds haven’t had access to the infrastructure.

“I also since that point have been constantly monitoring everything and going through every log to see any access or modifications to Breached infra. So far nothing like that has been seen.” said Baphomet. “My only response to LE, or any media outlet is that I have no concerns for myself at the moment. OPSEC has been my focus from day one, and thankfully I don’t think any mountain lions will be attacking me in my little fishing boat.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, BreachForums)

Breaking News, Cyber Crime, Data Breach, Hacking, Malware

Hitachi Energy breached by Clop gang through GoAnywhere Zero-Day exploitation

Hitachi Energy disclosed a data breach, the Clop ransomware gang stole the company data by exploiting the recent GoAnywhere zero-day flaw.

Hitachi Energy disclosed a data breach, the company was hacked by the Clop ransomware gang that stole its data by exploiting the recently disclosed zero-day vulnerability in the GoAnywhere MFT (Managed File Transfer).

The company was the victim of a large-scale campaign targeting GoAnywhere MFT devices worldwide by exploiting the zero-day vulnerability.

“We recently learned that a third-party software provider called FORTRA GoAnywhere MFT (Managed File Transfer) was the victim of an attack by the CLOP ransomware group that could have resulted in an unauthorized access to employee data in some countries.” reads the statement pblished by the company.

“Upon learning of this event, we took immediate action and initiated our own investigation, disconnected the third-party system, and engaged forensic IT experts to help us analyze the nature and scope of the attack. Employees who may be affected have been informed and we are providing support. We have also notified applicable data privacy, security and law enforcement authorities and we continue to cooperate with the relevant stakeholders.”

Hitachi Energy immediately launched an investigation into the incident and disconnected the compromised system. The company reported the data breach to law enforcement agencies and data protection watchdog.

The company pointed out that its network operations or the security of its customer data have not been compromised.

In early February, the popular investigator Brian Krebs first revealed details about the zero-day on Mastodon and pointed out that Fortra has yet to share a public advisory.

According to the private advisory published by Fortra, the zero-day is a remote code injection issue that impacts GoAnywhere MFT. The vulnerability can only be exploited by attackers with access to the administrative console of the application.

Installs with administrative consoles and management interfaces that are not exposed on the internet are safe, however, security researcher Kevin Beaumont discovered about 1000 Internet-facing consoles.

Fortra recommends GoAnywhere MFT customers review all administrative users and monitor for unrecognized usernames, especially those created by “system.”

In February, the Clop ransomware group claimed to have stolen sensitive data from over 130 organizations by exploiting a zero-day vulnerability (CVE-2023-0669) in Fortra’s GoAnywhere MFT secure file transfer tool, BleepingComputer reported.

Other organizations breached by exploiting the flaw in Fortra’s GoAnywhere MFT secure file transfer are the Hatch Bank, the Community Health Systems, and the data security firm Rubrik. At this time, the Clops ransomware group only added the bank and the data security firm to the list of victims.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Hitachi Energy)

Breaking News, Cyber Crime, Hacking, Malware

HinataBot, a new Go-Based DDoS botnet in the threat landscape

A new Golang-based DDoS botnet, tracked as HinataBot, targets routers and servers by exploiting known vulnerabilities.

Akamai researchers spotted a new DDoS Golang-based botnet, dubbed HinataBot, which has been observed exploiting known flaws to compromise routers and servers.

The experts reported that the HinataBot bot was seen being distributed since the beginning of 2023 and its operators are actively updating it.

The name “Hinata” comes after a character from the popular anime series, Naruto.

Akamai’s SIRT recently discovered the new bot within HTTP and SSH honeypots, it stood out due to its large size and the lack of specific identification around its newer hashes.

The sample captured by the experts abuses old vulnerabilities and weak credentials, the researchers reported that it attempts to exploit flaws in the miniigd SOAP service on Realtek SDK devices (CVE-2014-8361), Huawei HG532 routers (CVE-2017-17215), and exposed Hadoop YARN servers (CVE N/A). 

HinataBot supports multiple methods of communication, including both dialing out and listening for incoming connections. The botnet can launch distributed denial-of-service (DDoS) flooding attacks that relies on protocols such as HTTP, UDP, TCP, and ICMP to send traffic. However, the latest version of HinataBot only supports HTTP and UDP attacks.

Akamai said that by reverse engineering the bot and imitating the command and control (C2) server, was able to test the offensive capabilities of the botnet by running two attack methods (HTTP and UDP) in a 10-second period.

“The http_flood generated 3.4 MB of packet capture data and pushed 20,430 HTTP requests. The request sizes ranged from 484 to 589 bytes per request, with sizes varying mostly due to randomization of User-Agent and Cookie header data.” reads the report published by Akamai. “The udp_flood generated 6,733 packets for a total of 421 MB of packet capture data over the wire. There isn’t much else that’s interesting about this attack: it is volumetric in nature and seems to do a decent job of pushing volume.”

Test results show that a botnet composed of just 1,000 nodes can carry out a UDP flood that would weigh in at around 336 Gbps per second. A botnet of 10,000 nodes (which is roughly 6.9% of the size of Mirai at its peak) can generate a UDP flood that would weigh in at more than 3.3 Tbps. The HTTP flood at 1,000 nodes would generate roughly 2.7 Gbps and more than 2 Mrps, while with 10,000 nodes, those numbers jump to 27 Gbps delivering 20.4 Mrps.

HinataBot is the last bot in order of time to join the ever-growing list of emerging Go-based bots after GoBruteforcer and KmsdBot.

“The HinataBot family relies on old vulnerabilities and brute forcing weak passwords for distribution. This is yet another example of why strong password and patching policies are more critical than ever.” concludes Akamai that also privided Indicators of Compromise and YARA rules for this threat.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, HinataBot)