Cybercriminals are targeting a post-authentication RCE vulnerability in Symantec Secure Web Gateways to infiltrate devices. This is a technique used with the new variants of Hoaxcalls and Mirai botnets.
What is happening
- The Hoaxcalls botnet is a derivative of the Bashlyt/Gafgyt family and was first found this year in April. Lately, researchers have discovered that the botnet is exploiting an unpatched bug in Symantec Secure Web Gateway version 220.127.116.11.
- A Mirai offshoot was also discovered in May, propagating using the same bug as mentioned earlier. However, this botnet lacks DDoS capabilities and is a first-stage loader.
- The vulnerability is a post-authentication one, signifying that the exploit is effective only for authenticated sessions.
- The latest version of Symantec Secure Web Gateway, 5.2.8, does not contain the bug.
- The Symantec vulnerability was disclosed in March and will remain unpatched since it affects the older versions of the gateway.
What the experts are saying
- As per the researcher, Ruchna Nigam, “The use of the exploit in the wild surfaced only a few days after the publication of the vulnerability details, highlighting the fact that the authors of this particular botnet have been pretty active in testing the effectiveness of new exploits as and when they are made public.”
- Samples of the Mirai campaign are packed with a modified version of UPX, using a different 4-byte key with the UPX algorithm.
- Two new Hoaxcalls samples surfaced in April, incorporating new commands from its C2 server. The capabilities consisted of downloading updates, proxying traffic, preventing reboots, launching a huge number of DDoS attacks, and maintaining persistence.
- It was also found to be exploiting an unpatched bug in the ZyXEL Cloud CNM SecuManager.
The success of the botnets in exploiting this vulnerability is limited. The targeted devices are EOL products from 2012 and the latest versions will remain unaffected.