Radware researchers have discovered a new variant of the Hoaxcalls Botnet, spreading via an unpatched vulnerability impacting ZyXEL Cloud CNM SecuManager.
They have been monitoring the evolution of the Mirai XTC campaign and the development of the Hoaxcalls Botnet for several months. Hoaxcalls is an IoT variant based off source code from the Tsunami and Gafgyt Botnets.
The Hoaxcalls Botnet was first disclosed by Unit 42, Palo Alto Network’s Research Division, on April 3, 2020 and has been seen propagating via CVE-2020-8515 and CVE-2020-5722.
The series of vulnerabilities impacting ZyXEL were published in full disclosure by Pierre Kim on March 9, 2019. In addition to a new vector of propagation, the Hoaxcall Botnet also added 16 DDoS attack vectors in the new sample.