New Go-Based HinataBot Abuses Old Vulnerabilities for DDoS Attacks

Introduction to HinataBot

• According to Akamai’s SIRT team, the botnet exploited arbitrary code execution flaws in miniigd SOAP service in Realtek SDK (CVE-2014-8361) and Huawei HG532 routers (CVE-2017-17215) to spread its infection. 
• Additionally, exposed Hadoop YARN servers with weak credentials were also abused by the botnet to launch attacks.
• Coming to its capabilities, HinataBot utilizes protocols such as HTTP, UDP, TCP, and ICMP to send traffic during DDoS attacks.
• However, in the latest version, the authors have narrowed down to using only HTTP and UDP for attacks. 

Mirai influence

• The threat actors behind HinataBot were originally distributing Mirai binaries before they began developing their own botnet in mid-January.  
• Based on observations, researchers claim that the new botnet is the Golang version of Mirai and appears to follow some processes and attack methods from the latter.
• One of these similarities includes the way HinataBot sets up communication and the way it parses commands to launch attacks.
• As it is still in the development stage, it’s difficult to predict the future attack scope of HinataBot. 

Go-based botnets on a rise

• Last week, a botnet named GoBruteforcer was spotted scanning and infecting popular web servers to launch targeted attacks. It is specifically designed to target web servers running phpMyAdmin, MySQL, FTP, and Postgres services. 
• A multi-purpose Go-based botnet called Chaos became a matter of security concern as it expanded its cryptomining and DDoS attacks to target Windows and Linux devices across Europe. 
• In another instance, a new GoTrim botnet was spotted scanning and brute-forcing websites using the WordPress CMS to launch DDoS attacks.

Conclusion