HNS Botnet evolves and targets cross-platform database solutions

Pierluigi Paganini July 08, 2018

The HNS IoT botnet (Hide and Seek) originally discovered by BitDefender in January evolves and now targets cross-platform database solutions.

Do you remember the Hide ‘N Seek (HNS) botnet?

The IoT botnet Hide ‘N Seek botnet appeared in the threat landscape in January, when it was first spotted on January 10th by malware researchers from Bitdefender. It was first discovered on January 10, then it disappeared for a few days, and appeared again a few weeks later infecting in less than a weeks more than 20,000 devices.

HNS botnet

Researchers at Bitdefender found similarities between the Hide ‘N Seek botnet and the Hajime botnets, unlike Mirai, Hajime doesn’t use C&C servers, instead, it implements a peer-to-peer network.

Bitdefender experts discovered that Hide ‘N Seek botnet exploited the CVE-2016-10401 flaw, and other vulnerabilities to propagate malicious code and steal user data.

HNS botnet looks for systems to infect by scanning the Internet for fixed TCP port 80/8080/2480/5984/23 and other random ports. The HNS botnet borrows code from Mirai botnet.

HNS botnet scanning.png

The Hide ‘N Seek is now targeting also cross-platform database solutions, it is currently the first IoT malware that implements a persistence mechanism to keep devices infected after reboots.

“2P-like botnets are hard to take down, and the HNS botnet has been continuously updated over the past few months,” reads the analysis published by Netlab Qihoo 360 researchers.

“some major updates we see:

  • Added exploits for AVTECH devices (webcam, webcam), CISCO Linksys router, JAWS/1.0 web server, Apache CouchDB, OrientDB; with the two devices mentioned in the original report, HNS currently supports 7 exploiting methods all together
  • Hard-coded P2P node addresses have been increased to 171;
  • In addition, we observed that the HNS botnet adds a cpuminer mining program, it is not functioning properly yet.
  • In particular, with the added support of OrientDB and CouchDB database servers, HNS is no longer just an IoT botnet, but a cross-platform botnet now.”
According to Netlab, the Hide ‘N Seek (HNS) botnet now targets the following types of devices using  the following exploits:

Experts pointed out that the HNS has also started dropping a miner payload, but the good news is that it is not functioning properly yet.

Further technical details on the Hide ‘N Seek botnet, including the IoCs, are reported in the analysis published by the Netlab team.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Hide ‘N Seek botnet,  botnet)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment