Cybersecurity attacks are getting highly sophisticated as we progress. One of them is a botnet attack wherein a large number of affected computers are controlled by a Command & Control (C&C) server to affect more vulnerable systems. The chain continues to grow and it becomes difficult to curb the attack. A recent example of botnet attack is the Hoaxcall botnet.
Insights
Hoaxcall botnet is actively targeting a critical security flaw in Grandstream UCM6200 series device[1]. This vulnerability is rated critical and classified as CVE-2020-5722 and has a CVSS3.1 base score of 9.8 on 10[1]. Although this vulnerability has been patched in their latest update, it is not upto the users to patch their systems to the latest firmware as soon as possible. This vulnerability affects the software versions prior to 1.0.19.20. An attacker can exploit this vulnerability by executing unauthenticated SQL Injection via malicious HTTP Request. This will allow the attacker to spawn a reverse shell with root privileges. Once the attacker has a root access to a system, he can basically execute any commands and damage the system. By performing SQL injection attacks in the web interface of the UCM6200 series, the attacker can compromise the SQLite Database in the backend. The software is also vulnerable to remote HTML code execution attacks. Researchers at Tenable have reported this vulnerability and urge customers to update their software to the latest firmware. Hoaxcall botnet is also actively targeting the security flaw classified as CVE-2020-8515 discovered in Draytek Vigor routers. By leveraging both of these attacks, Hoaxcall botnet can launch a variety of Distributed Denial of Service (DDOS) attacks.
Conclusion
Both of these critical vulnerabilities have been patched by Grandstream and DrayTek by releasing 1.0.20.17 update and 1.5.1 update respectively. Clearly, these security flaws affect all the aspects of the CIA Triad. Confidentiality is compromised as the attacker can hijack the SQLite Database. Integrity is compromised as the attacker can spawn a reverse shell and execute arbitrary code. Availability is compromised as Hoaxcall botnet can launch a variety of DDOS attacks. Now, it depends on the clients to update their systems as soon as possible to avoid being a victim to this attack.
References