Malicious actors are exploiting a post-authentication remote code-execution vulnerability in Symantec Secure Web Gateways as part of new Mirai and Hoaxcalls botnet attacks, Palo Alto Networks Unit 42 researchers have warned.

The bug in question affects Symantec Secure Web Gateway 5.0.2.8, which has reached the End-of-Support-Life (EOSL) in 2019. The flaw was patched in Symantec Web Gateway 5.2.8, and currently, there is no evidence that any other firmware versions are vulnerable, the researchers pointed out.

First attacks attempting to exploit this flaw were observed in April, 2020, as part of an evolution of the Hoaxcalls botnet that was first discovered earlier that same month.

“This latest version of Hoaxcalls supports additional commands that allow an attacker greater control on the infected devices, such as the possibility to proxy traffic through them, downloading updates, maintaining persistence across device restarts, or preventing reboots, and a larger number of DDoS attacks that can be launched,” the researchers said.

Threat actors behind Hoaxcalls botnet began using the exploit just a few days after the vulnerability details were made public.

Hoaxcalls was first spotted in late March, as a variant of the Gafgyt/Bashlite family. Initially, it was observed exploiting recently disclosed vulnerabilities in certain models of Grandstream business telephone IP PBX systems, and Draytek Vigor routers, but shortly after new samples emerged that incorporated a new exploit for infiltrating devices – an unpatched vulnerability impacting the ZyXEL Cloud CNM SecuManager that was disclosed in March.

At the beginning of May, the researchers came across a Mirai campaign using the same exploit, although the malware samples used in the attacks were lacking DDoS capabilities. Instead, the bot used credential brute-forcing or exploited the Symantec Web Gateways flaw as a means of propagation.

The researchers note that the exploit is only effective for authenticated sessions and the affected devices are End of Life (EOL) from 2012.

“In the case of both campaigns, one can assume that their success with this exploit is limited by the post-authentication nature of the Symantec Secure Web Gateway RCE vulnerability,” Palo Alto Networks concluded.