A new Golang-based botnet called Hinata Bot It has been observed using known flaws to compromise routers and servers and use them to carry out distributed denial of service (DDoS) attacks.
“The malware binary was named by the malware author as ‘Hinata’, after the character from the popular anime series Naruto.
Methods used to distribute the malware include exploiting publicly available Hadoop YARN servers and security vulnerabilities on Realtek SDK devices (CVE-2014-8361), Huawei HG532 routers (CVE-2017-17215, CVSS score: 8.8). is defective.
Unpatched vulnerabilities and weak credentials are easy gains for attackers and require well-documented and straightforward exploits that do not require sophisticated social engineering tactics or other methods. Represents an entry point.
The actors behind HinataBot are said to have been active since at least December 2022. The attack first attempted to use a popular Go-based Mirai variant of his after January 11, 2023 before switching to his own custom malware.
Since then, new artifacts have been detected in Akamai’s HTTP and SSH honeypots this month, packed with more modular features and adding security measures to thwart analysis. This shows that HinataBot is still actively developed and evolving.
The malware, like other DDoS botnets of its kind, can connect to command and control (C2) servers, listen for incoming instructions, and launch attacks against target IP addresses for a specified period of time. increase.
Earlier versions of the botnet used protocols such as HTTP, UDP, TCP, and ICMP to carry out DDoS attacks, but the latest iteration is limited to HTTP and UDP only. It’s not immediately clear why the other two protocols were deprecated.
Akamai, conducting a 10 second attack test using HTTP and UDP, revealed that the HTTP flood generated 3.4 MB of packet capture data and pushed 20,430 HTTP requests. On the other hand, the UDP flood produced 6,733 packets for him for a total of 421 MB of packet capture data.
In a hypothetical real-world attack of 10,000 bots, UDP floods peaked at over 3.3 terabits per second (Tbps), making for a powerful volumetric attack. HTTP floods generate approximately 27 gigabits per second (Gbps) of traffic.
This development is the latest to join the ever-growing list of new Go-based threats such as GoBruteforcer and KmsdBot.
“Attackers use Go to take advantage of its high performance, ease of multithreading, and cross-compilation support for multiple architectures and operating systems, but at the cost of increased complexity at compile time and difficulty in reverse engineering. The resulting binary,” said Akamai.
Discover the hidden dangers of third-party SaaS apps
Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize the risks.
reserve a seat
The findings show that TCP attacks will emerge as the most frequent form of DDoS attack in 2022, accounting for 63% of all attack traffic, UDP flood and amplification attacks (22%), and packet anomaly attacks (15%). %).
DDoS attacks are not only used as a distraction to cover up extortion and data theft, but with the emergence of new malware strains that can target IoT devices to hijack accounts and gain unauthorized access to resources. expected to increase.
“As DDoS attacks become more frequent, more sophisticated, and less expensive to initiate, organizations of all sizes are taking proactive steps to maintain protection throughout the year and develop DDoS response strategies. is important,” said the tech giant’s Azure network security team.
