Fast-Moving DDoS Botnet Exploits Unpatched ZyXel RCE Bug

A new variant of the Hoaxcalls botnet, which can be marshalled for large-scale distributed denial-of-service (DDoS) campaigns, is spreading via an unpatched vulnerability impacting the ZyXEL Cloud CNM SecuManager that was disclosed last month.

That’s according to researchers at Radware, who also said that it’s notable how quickly Hoaxcalls operators have moved to weaponize the ZyXel bug, which as of this time of writing, has still not been addressed in a ZyXel advisory.

The Rise of Hoaxcalls

Hoaxcalls first emerged in late March, as a variant of the Gafgyt/Bashlite family; it’s named after the domain used to host its malware, Hoaxcalls.pw.

According to the Palo Alto Unit 42 researchers who found it, the original sample featured three DDoS attack vectors: UDP, DNS and HEX floods; and, it was seen infecting devices through two vulnerabilities: A DrayTek Vigor2960 remote code-execution (RCE) vulnerability and a GrandStream Unified Communications remote SQL injection bug (CVE-2020-5722). The HTTP exploits for the bugs used a common User-Agent header value, “XTC,” which has been seen in previous Mirai variant activity, according to researchers.

In early April, a new Hoaxcalls sample showed up on the scene and was picked up by Radware. It had added 16 new attack vectors for a total of 19, but it only propagated via the GrandStream CVE-2020-5722 bug and lacked the XTC header value. Within 48 hours of discovery, there were 15 unique IP addresses hosting the malware.

Then, earlier this week, on April 20, Radware researchers spotted a third iteration of Hoaxcalls being disseminated from 75 different malware-hosting servers. It has the same number of attack vectors (19) as the second variant, and also uses the User-Agent “XTC” header seen in the initial version.

“While IoT botnet variants are common, these samples highlight not only the speed in which criminals move, but also the depth and scope of the campaigns run by DDoS operators,” noted Radware researchers, in an analysis posted on Wednesday.

ZyXel RCE Bug

The April 20 variant most notably uses an unpatched vulnerability in the ZyXEL Cloud CNM SecuManager, which is a network management appliance designed to provide an integrated console to monitor and manage security gateways.

In March, multiple bugs were found to be riddling the platform by security researchers Pierre Kim and Alexandre Torres. According to their report at the time, the vulnerable software includes Zyxel CNM SecuManager versions 3.1.0 and 3.1.1 – last updated in November 2018.

The bug that Hoaxcalls is specifically leveraging can be exploited via API calls that abuse the path “/live/CPEManager/AXCampaignManager/delete_cpes_by_ids?Cpe_ids =” according to Radware.

Digging deeper, Kim and Torres characterized this bug as “abusing an insecure API due to unsafe calls to eval():”. When an API call is made, the output is stored in the “Axess” chroot, which the researchers said ultimately makes it possible to open up a “connect-back” shell, providing access to the appliance.

A chroot is an operation to change a root directory for a running process and its dependent directories on Unix operating systems,

“Even if the shell is within a chrooted environment, it is possible to break the chroot using a [local privilege escalation] LPE and the fact that /proc is mounted inside the chroot,” Kim and Torres wrote.

The addition of the unpatched bug exploit only widens the number of routers and IoT devices that can be used by Hoaxcalls going forward, Radware researchers noted — adding that they expect the attack surface to continue to widen.

“The campaigns performed by the actor or group behind XTC and Hoaxcalls include several variants using different combinations of propagation exploits and DDoS attack vectors,” Radware researchers said in the analysis. “It is our opinion that the group behind this campaign is dedicated to finding and leveraging new exploits for the purpose of building a botnet that can be leveraged for large-scale DDoS attacks.”

_Worried about your cloud security in the work-from-home era? On April 23 at 2 p.m. ET, join DivvyCloud and Threatpost for a FREE webinar, _A Practical Guide to Securing the Cloud in the Face of Crisis_. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 – and during all times of crisis. _Please register here** for this sponsored webinar.**