Experts from Palo Alto Networks discovered that the Mirai and Hoaxcalls botnets are targeting a vulnerability in legacy Symantec Web Gateways.
Palo Alto Networks Unit 42 researchers observed both the Mirai and Hoaxcalls botnets using an exploit for a post-authentication Remote Code Execution vulnerability in legacy Symantec Web Gateways 220.127.116.11.
“I recently came across new Hoaxcalls and Mirai botnet campaigns targeting a post-authentication Remote Code Execution vulnerability in Symantec Secure Web Gateway 18.104.22.168, which is a product that became end-of-life (EOL) in 2015 and end-of-support-life (EOSL) in 2019.” reads the analysis published by Palo Alto Networks. “There is no evidence to support any other firmware versions are vulnerable at this point in time and these findings have been shared with Symantec.”
Symantec pointed out that the flaw has been fixed in Symantec Web Gateway 5.2.8 and that it doesn’t affect Secure Web Gateway solutions, such as ProxySG and Web Security Services.
Experts first observed the exploitation of the flaw in the wild on April 24, 2020, as part of an evolution of the Hoaxcalls botnet that was first discovered early of April. The botnet borrows the code from Tsunami and Gafgyt botnets, it expanded the list of targeted devices and added new distributed denial of service (DDoS) capabilities.
In the first week of May, the experts also spotted a Mirai variant using the same exploit, but this samples don’t contain any DDoS capabilities.
“they serve the purpose of propagation using credential brute force and exploitation of the Symantec Secure Web Gateway RCE vulnerability This blog post provides any noteworthy technical details on these two campaigns.” continues the report.
According to Unit 42, both the Mirai and Hoaxcalls botnets used payloads designed to discover and infect vulnerable devices. In the case of Mirai, the bot is able to propagate via either credential brute-forcing or exploitation of the Symantec Web Gateways exploit.
Experts note that the exploit is only effective for authenticated sessions and the affected devices are End of Life (EOL) from 2012.
“In the case of both campaigns, one can assume that their success with this exploit is limited by the post-authentication nature of the Symantec Secure Web Gateway RCE vulnerability.” concludes Palo Alto Networks.
The report published by Palo Alto Networks contains technical details about the botnet, including the Indicators of Compromise (IoCs)