Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Hinata Botnet Could Deliver 3.3 Tbps DDoS, Says Akamai

Akamai researchers have analysed a newly-discovered botnet which has been spreading over the first three months of this year. The malware, which its author appears to have christened 'Hinata' after an anime character, is written in the Go programming language which is increasingly popular among malware authors because it makes reverse-engineering the resultant binaries more difficult than other languages.

However, in Hinata, Go delivers another 'benefit', in the form of a multi-threaded design which can drive network I/O harder than a single-threaded approach. In early versions, the bot was able to run DDoS attacks using a variety of protocols: HTTP, UDP, TCP and ICMP. However, the latest version focuses on HTTP and UDP only. In order to spread, Hinata exploits two main vulnerabilities - a Hadoop YARN RCE and a vuln in the miniigd SOAP service of Realtek SDK devices (CVE-2014-8361). It can also exploit Huawei HG532 routers (CVE-2017-17215).

Based on their benchmark tests with a sample of the malware and a jury-rigged C2 server, the researchers found that with a 10-second UDP flood, the bot can generate 6,733 packets totaling 421 MB. If the botnet can marshall 10,000 nodes - roughly 7% of the size of the Mirai botnet - it could therefore deliver 336 Tbps.

The Akamai blog post is a nice example of malware analysis and reverse engineering. It provides IOC's, including YARA rules and sample infector scripts, as well as Snort rules.

Seaman, Chad, Larry Cashdollar and Allen West, Uncovering HinataBot: A Deep Dive into a Go-Based Threat, blog post, 16 March 2023. Available online at https://www.akamai.com/blog/security-research/hinatabot-uncovering-new-golang-ddos-botnet.

Privacy Breach Hits Australian Skin Cancer Study

Medical research institute QIMR Berghofer has been hit by a data privacy breach affecting the personal details of more than one thousand people participating in a skin cancer study, according to the institute. The breach occurred at a contractor, Datatime, which provides scanning and data entry services.

The 2021 QSKIN study involved the mailing of survey forms to 9749 participants, whose names and addresses were held by Datatime. 1128 participants completed the survey and returned the forms to Datatime, presumably for scanning, and their information, including name, address and Medicare numbers may have been compromised in the breach.

This particular breach occurred back in November 2022, and we reported on it at the time, so it is curious that QIMR Berghofer is only disclosing it publicly now. It also highlights the importance of supplier relationship management; the medical researchers relied on the fact that "Datatime is ISO Accredited" - but they are certified against ISO 9001, and not an information security related standard like ISO 27001.

Uncredited, Media statement, media statement, 20 March 2023. Available online at https://www.qimrberghofer.edu.au/news/media-statement/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.