Headline
New GoLang-Based HinataBot Exploiting Router and Server Flaws for DDoS Attacks
A new Golang-based botnet dubbed HinataBot has been observed to leverage known flaws to compromise routers and servers and use them to stage distributed denial-of-service (DDoS) attacks. “The malware binaries appear to have been named by the malware author after a character from the popular anime series, Naruto, with file name structures such as 'Hinata–,’” Akamai said in a
A new Golang-based botnet dubbed HinataBot has been observed to leverage known flaws to compromise routers and servers and use them to stage distributed denial-of-service (DDoS) attacks.
“The malware binaries appear to have been named by the malware author after a character from the popular anime series, Naruto, with file name structures such as 'Hinata-<OS>-<Architecture>,’” Akamai said in a technical report.
Among the methods used to distribute the malware are the exploitation of exposed Hadoop YARN servers and security flaws in Realtek SDK devices (CVE-2014-8361), Huawei HG532 routers (CVE-2017-17215, CVSS score: 8.8).
Unpatched vulnerabilities and weak credentials have been a low-hanging fruit for attackers, representing an easy, well-documented entry point that does not require sophisticated social engineering tactics or other methods.
The threat actors behind HinataBot are said to have been active since at least December 2022, with the attacks first attempting to use a generic Go-based Mirai variant before switching to their own custom malware starting from January 11, 2023.
Since then, newer artifacts have been detected in Akamai’s HTTP and SSH honeypots as recently as this month, packing in more modular functionality and added security measures to resist analysis. This indicates that HinataBot is still in active development and evolving.
The malware, like other DDoS botnets of its kind, is capable of contacting a command-and-control (C2) server to listen for incoming instructions and initiate attacks against a target IP address for a specified duration.
While early versions of the botnet utilized protocols such as HTTP, UDP, TCP, and ICMP to carry out DDoS attacks, the latest iteration is limited to just HTTP and UDP. It’s not immediately known why the other two protocols were axed.
Akamai, which conducted 10-second attack tests using HTTP and UDP, revealed that the HTTP flood generated 3.4 MB of packet capture data and pushed 20,430 HTTP requests. The UDP flood, on the other hand, created 6,733 packets for a total of 421 MB of packet capture data.
In a hypothetical real-world attack with 10,000 bots, a UDP flood would peak at more than 3.3 terabit per second (Tbps), resulting in a potent volumetric attack. An HTTP flood would generate a traffic of roughly 27 gigabit per second (Gbps)
The development makes it the latest to join the ever-growing list of emerging Go-based threats such as GoBruteforcer and KmsdBot.
“Go has been leveraged by attackers to reap the benefits of its high performance, ease of multi-threading, its multiple architecture and operating system cross-compilation support, but also likely because it adds complexity when compiled, increasing the difficulty of reverse engineering the resulting binaries,” Akamai said.
WEBINAR
Discover the Hidden Dangers of Third-Party SaaS Apps
Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.
RESERVE YOUR SEAT
The findings also come as Microsoft revealed that TCP attacks emerged as the most frequent form of DDoS attack encountered in 2022, accounting for 63% of all attack traffic, followed by UDP floods and amplification attacks (22%), and packet anomaly attacks (15%).
Besides being used as distractions to conceal extortion and data theft, DDoS attacks are also expected to rise due to the arrival of new malware strains that are capable of targeting IoT devices and taking over accounts to gain unauthorized access to resources.
“With DDoS attacks becoming more frequent, sophisticated, and inexpensive to launch, it’s important for organizations of all sizes to be proactive, stay protected all year round, and develop a DDoS response strategy,” the tech giant’s Azure Network Security Team said.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
A years-old high-severity flaw impacting AVTECH IP cameras has been weaponized by malicious actors as a zero-day to rope them into a botnet. CVE-2024-7029 (CVSS score: 8.7), the vulnerability in question, is a "command injection vulnerability found in the brightness function of AVTECH closed-circuit television (CCTV) cameras that allows for remote code execution (RCE)," Akamai researchers Kyle
Cybersecurity company Trend Micro has released patches and hotfixes to address a critical security flaw in Apex One and Worry-Free Business Security solutions for Windows that has been actively exploited in real-world attacks. Tracked as CVE-2023-41179 (CVSS score: 9.1), it relates to a third-party antivirus uninstaller module that's bundled along with the software. The complete list of impacted
By Deeba Ahmed HinataBot can launch Distributed Denial of Service (DDoS) attacks reaching 3.3 TBPS. This is a post from HackRead.com Read the original post: Threat Actors Using Go-based HinataBot to launch DDoS Attacks
By Deeba Ahmed Most devices infected by Chaos malware are located in Europe, particularly Italy but infections were also observed in Asia Pacific, South America, and North America. This is a post from HackRead.com Read the original post: New DDoS Malware ‘Chaos’ Hits Linux and Windows Devices
The previously identified ransomware builder has veered in an entirely new direction, targeting consumers and business of all sizes by exploiting known CVEs through brute-forced and/or stolen SSH keys.
A new, multi-functional Go-based malware dubbed Chaos has been rapidly growing in volume in recent months to ensnare a wide range of Windows, Linux, small office/home office (SOHO) routers, and enterprise servers into its botnet. "Chaos functionality includes the ability to enumerate the host environment, run remote shell commands, load additional modules, automatically propagate through
The miniigd SOAP service in Realtek SDK allows remote attackers to execute arbitrary code via a crafted NewInternalClient request, as exploited in the wild through 2023.