Netscout has seen an increase in attempts to exploit the Realtek SDK miniigd SOAP vulnerability (CVE-2014-8361) present in some consumer routers. This increase was observed in ASERT’s IoT honeypot network between the end of April through the first half of May in 2019. Netscout indicated they believed the attacks were from Egypt targeting routers located in South Africa. If the attack is successful in exploiting the device, the router ends up as a member of the Hakai DDoS botnet.
The Hakai botnet is believed to have been around since 2018. Hakai is part of the Gafgyt family of IoT malware and uses a number of command injection vulnerabilities against its targets. The botnet is capable of delivering HTTP, TCP, and UDP flooding attacks. The Hakai variant in this campaign also included vseattack functionality. This is a Valve Source Engine (VSE) query-flooding attack that is similar to the version found in Mirai.
Indicators of Compromise