Palo Alto Networks experts warn that the Hoaxcalls botnet attacks the recently fixed vulnerability in the Grandstream UCM6200 series devices.The Hoaxcalls botnet is built on the source code of the Gafgyt/Bashlite malware and is mainly used for DDoS attacks.
“The malware is built on the Gafgyt/Bashlite malware family codebase, which we have dubbed “Hoaxcalls”, based on the name of the IRC channel used for command and control (C2) communications, and is capable of launching a variety of DDoS attacks based on the C2 commands received.”, — write Palo Alto Networks researchers.
The issue in question has the identifier CVE-2020-5722 and is rated as critical (9.8 points on the CVSS vulnerability rating scale). The vulnerability is related to the HTTP interface in devices of IP-PBX Grandstream.
Tenable experts who discovered this bug described it as an unauthenticated remote SQL injection.
“The vulnerability can be exploited using a specially crafted HTTP request, which will eventually allow an attacker to execute shell commands with root privileges (versions prior to 220.127.116.11) or inject HTML code into emails to recover passwords (versions prior to 18.104.22.168 )”, — said Tenable researchers.
The root of the problem is that forgotten password function in the UCM6200 web interface accepts the username as input and looks for it in the SQLite database. By substituting a certain line of code for username, the attacker can perform SQL injection to create a reverse shell for remote code execution or add arbitrary HTML code to the password recovery email that will be sent to the user.
According to Palo Alto Networks experts, for more than a week the Hoaxcalls botnet has been actively exploiting this vulnerability, and then it uses infected devices for DDoS attacks. The botnet also attacks Draytek Vigor routers, infecting them through another critical vulnerability (CVE-2020-8515).
“Vulnerabilities CVE-2020-8515 and CVE-2020-5722 are both rated as critical, in particular because of their ease of operation. After using [these vulnerabilities], an attacker could execute arbitrary commands on the device. It is not surprising that hackers expanded their arsenals with these exploits and began to wreak havoc on the IoT sphere,” – say the experts.
Hoaxcalls, a new DDOS botnet, is actively exploiting two vulnerabilities which have wide exposure in environments around the world. These same vulnerabilities are also actively being exploited in additional attacks, according to other security research organizations. Unfortunately, they are also easily exploited and lead to remote code execution; as such we advise everyone to patch as soon as possible.
Recall that the criminal colleagues of Hoaxcalls users – Lemon Duck malware operators also attack IoT-devices.