A new malware botnet has been identified that targets Realtek SDK, Huawei routers, and Hadoop YARN servers in order to recruit devices into a DDoS (distributed denial of service) botnet capable of huge attacks. Researchers at Akamai detected the new botnet at the beginning of the year. They detected it on their HTTP and SSH honeypots, where they saw it exploiting outdated security vulnerabilities including CVE-2014-8361 and CVE-2017-17215. When HinataBot first appeared in mid-January 2023, Akamai notes that HinataBot’s operators were distributing Mirai binaries. It is a Go-based variation of the infamous strain and appears to be based on Mirai. The malware is being actively developed, with functional enhancements and anti-analysis features, according to Akamai’s researchers, who were able to collect several samples from active campaigns as recently as March 2023.
The malware is spread via brute-forcing SSH endpoints or by exploiting known vulnerabilities with infection scripts and RCE payloads. After infecting targets, the malware will operate stealthily while awaiting instructions from the command and control server. In order to setup HinataBot for DDoS assaults, Akamai’s analysts built their own C2 and interacted with simulated infections. This allowed them to watch the malware in operation and deduce its attack capabilities. HinataBot’s earlier iterations supported HTTP, UDP, ICMP, and TCP floods, but its more recent iterations only support the first two. The botnet may be able to launch extremely potent distributed denial of service attacks even with just two attack modes.
When Akamai benchmarked the botnet in 10-second HTTP and UDP attacks, the malware produced 20,430 requests with a combined size of 3.4 MB during the HTTP attack. There were 6,733 packets totaling 421 MB of data produced by the UDP deluge. The researchers calculated that the UDP flood might yield approximately 336 Gbps with 1,000 nodes and 3.3 Tbps with 10,000 nodes.
While defending against a targeted DDoS attack can be difficult, if organizations mutually limit the spread of the botnet on their networks they will achieve greater safety for themselves and the larger Internet community. One of the best defenses is a consistent and frequent patch cycle. A trademark of most botnets is their ability to spread through unpatched services, as well as SSH brute-forcing. Configuring SSH in a secure way is also crucial. Most importantly, creating firewall rules to only allow connections from specific IP addresses or ranges. Password based authentication should also be disabled in favor of SSH key pairs. Another best practice is to disallow SSH to the root user. Some may find it useful to change the default port of SSH to some higher port, which can help mitigate some attacks that come as a result of scanning common ports.