New GoLang-Based HinataBot Exploiting Router and Server Flaws for DDoS Attacks
A
new
Golang-based
botnet
dubbed
HinataBot
has
been
observed
to
leverage
known
flaws
to
compromise
routers
and
servers
and
use
them
to
stage
distributed
denial-of-service
(DDoS)
attacks.
“The
malware
binaries
appear
to
have
been
named
by
the
malware
author
after
a
character
from
the
popular
anime
series,
Naruto,
with
file
name
structures
such
as
‘Hinata-<OS>-<Architecture>,'”
Akamai
said
in
a
technical
report.
Among
the
methods
used
to
distribute
the
malware
are
the
exploitation
of
exposed
Hadoop
YARN
servers
and
security
flaws
in
Realtek
SDK
devices
(CVE-2014-8361),
Huawei
HG532
routers
(CVE-2017-17215,
CVSS
score:
8.8).
Unpatched
vulnerabilities
and
weak
credentials
have
been
a
low-hanging
fruit
for
attackers,
representing
an
easy,
well-documented
entry
point
that
does
not
require
sophisticated
social
engineering
tactics
or
other
methods.
The
threat
actors
behind
HinataBot
are
said
to
have
been
active
since
at
least
December
2022,
with
the
attacks
first
attempting
to
use
a
generic
Go-based
Mirai
variant
before
switching
to
their
own
custom
malware
starting
from
January
11,
2023.
Since
then,
newer
artifacts
have
been
detected
in
Akamai’s
HTTP
and
SSH
honeypots
as
recently
as
this
month,
packing
in
more
modular
functionality
and
added
security
measures
to
resist
analysis.
This
indicates
that
HinataBot
is
still
in
active
development
and
evolving.
The
malware,
like
other
DDoS
botnets
of
its
kind,
is
capable
of
contacting
a
command-and-control
(C2)
server
to
listen
for
incoming
instructions
and
initiate
attacks
against
a
target
IP
address
for
a
specified
duration.
While
early
versions
of
the
botnet
utilized
protocols
such
as
HTTP,
UDP,
TCP,
and
ICMP
to
carry
out
DDoS
attacks,
the
latest
iteration
is
limited
to
just
HTTP
and
UDP.
It’s
not
immediately
known
why
the
other
two
protocols
were
axed.
Akamai,
which
conducted
10-second
attack
tests
using
HTTP
and
UDP,
revealed
that
the
HTTP
flood
generated
3.4
MB
of
packet
capture
data
and
pushed
20,430
HTTP
requests.
The
UDP
flood,
on
the
other
hand,
created
6,733
packets
for
a
total
of
421
MB
of
packet
capture
data.
In
a
hypothetical
real-world
attack
with
10,000
bots,
a
UDP
flood
would
peak
at
more
than
3.3
terabit
per
second
(Tbps),
resulting
in
a
potent
volumetric
attack.
An
HTTP
flood
would
generate
a
traffic
of
roughly
27
gigabit
per
second
(Gbps)
The
development
makes
it
the
latest
to
join
the
ever-growing
list
of
emerging
Go-based
threats
such
as
GoBruteforcer
and
KmsdBot.
“Go
has
been
leveraged
by
attackers
to
reap
the
benefits
of
its
high
performance,
ease
of
multi-threading,
its
multiple
architecture
and
operating
system
cross-compilation
support,
but
also
likely
because
it
adds
complexity
when
compiled,
increasing
the
difficulty
of
reverse
engineering
the
resulting
binaries,”
Akamai
said.
WEBINAR
Discover
the
Hidden
Dangers
of
Third-Party
SaaS
Apps
Are
you
aware
of
the
risks
associated
with
third-party
app
access
to
your
company’s
SaaS
apps?
Join
our
webinar
to
learn
about
the
types
of
permissions
being
granted
and
how
to
minimize
risk.
The
findings
also
come
as
Microsoft
revealed
that
TCP
attacks
emerged
as
the
most
frequent
form
of
DDoS
attack
encountered
in
2022,
accounting
for
63%
of
all
attack
traffic,
followed
by
UDP
floods
and
amplification
attacks
(22%),
and
packet
anomaly
attacks
(15%).
Besides
being
used
as
distractions
to
conceal
extortion
and
data
theft,
DDoS
attacks
are
also
expected
to
rise
due
to
the
arrival
of
new
malware
strains
that
are
capable
of
targeting
IoT
devices
and
taking
over
accounts
to
gain
unauthorized
access
to
resources.
“With
DDoS
attacks
becoming
more
frequent,
sophisticated,
and
inexpensive
to
launch,
it’s
important
for
organizations
of
all
sizes
to
be
proactive,
stay
protected
all
year
round,
and
develop
a
DDoS
response
strategy,”
the
tech
giant’s
Azure
Network
Security
Team
said.
About Author
