Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Both Mirai and Hoaxcalls IoT botnets target Symantec Web Gateways

Experts from Palo Alto Networks discovered that the Mirai and Hoaxcalls botnets are targeting a vulnerability in legacy Symantec Web Gateways. Palo Alto Networks Unit 42 researchers observed both the Mirai and Hoaxcalls botnets using an exploit for a post-authentication Remote Code Execution vulnerability in legacy Symantec Web Gateways 5.0.2.8. “I recently came across new […]

Hoaxcalls Symantec Web Gateways

Experts from Palo Alto Networks discovered that the Mirai and Hoaxcalls botnets are targeting a vulnerability in legacy Symantec Web Gateways.

Palo Alto Networks Unit 42 researchers observed both the Mirai and Hoaxcalls botnets using an exploit for a post-authentication Remote Code Execution vulnerability in legacy Symantec Web Gateways 5.0.2.8.

“I recently came across new Hoaxcalls and Mirai botnet campaigns targeting a post-authentication Remote Code Execution vulnerability in Symantec Secure Web Gateway 5.0.2.8, which is a product that became end-of-life (EOL) in 2015 and end-of-support-life (EOSL) in 2019.” reads the analysis published by Palo Alto Networks. “There is no evidence to support any other firmware versions are vulnerable at this point in time and these findings have been shared with Symantec.”

Symantec pointed out that the flaw has been fixed in Symantec Web Gateway 5.2.8 and that it doesn’t affect Secure Web Gateway solutions, such as ProxySG and Web Security Services.

Experts first observed the exploitation of the flaw in the wild on April 24, 2020, as part of an evolution of the Hoaxcalls botnet that was first discovered early of April. The botnet borrows the code from Tsunami and Gafgyt botnets, it expanded the list of targeted devices and added new distributed denial of service (DDoS) capabilities.

Operators behind the Hoaxcalls botnet started using the exploit a few days after the publication of the vulnerability details.

Hoaxcalls update-URL

In the first week of May, the experts also spotted a Mirai variant using the same exploit, but this samples don’t contain any DDoS capabilities.

“they serve the purpose of propagation using credential brute force and exploitation of the Symantec Secure Web Gateway RCE vulnerability This blog post provides any noteworthy technical details on these two campaigns.” continues the report.

According to Unit 42, both the Mirai and Hoaxcalls botnets used payloads designed to discover and infect vulnerable devices. In the case of Mirai, the bot is able to propagate via either credential brute-forcing or exploitation of the Symantec Web Gateways exploit.

Experts note that the exploit is only effective for authenticated sessions and the affected devices are End of Life (EOL) from 2012.

“In the case of both campaigns, one can assume that their success with this exploit is limited by the post-authentication nature of the Symantec Secure Web Gateway RCE vulnerability.” concludes Palo Alto Networks.

The report published by Palo Alto Networks contains technical details about the botnet, including the Indicators of Compromise (IoCs)

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Symantec Web Gateways, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]