HNS Botnet evolves and targets cross-platform database solutions

Haythem Elmir
0 1
Read Time2 Minute, 11 Second

The HNS IoT botnet (Hide and Seek) originally discovered by BitDefender in January evolves and now targets cross-platform database solutions.

Do you remember the Hide ‘N Seek (HNS) botnet?

The IoT botnet Hide ‘N Seek botnet appeared in the threat landscape in January, when it was first spotted on January 10th by malware researchers from Bitdefender. It was first discovered on January 10, then it disappeared for a few days, and appeared again a few weeks later infecting in less than a weeks more than 20,000 devices.

HNS botnet

Researchers at Bitdefender found similarities between the Hide ‘N Seek botnet and the Hajime botnets, unlike Mirai, Hajime doesn’t use C&C servers, instead, it implements a peer-to-peer network.

Bitdefender experts discovered that Hide ‘N Seek botnet exploited the CVE-2016-10401 flaw, and other vulnerabilities to propagate malicious code and steal user data.

HNS botnet looks for systems to infect by scanning the Internet for fixed TCP port 80/8080/2480/5984/23 and other random ports. The HNS botnet borrows code from Mirai botnet.

HNS botnet scanning.png

The Hide ‘N Seek is now targeting also cross-platform database solutions, it is currently the first IoT malware that implements a persistence mechanism to keep devices infected after reboots.

“2P-like botnets are hard to take down, and the HNS botnet has been continuously updated over the past few months,” reads the analysis published by Netlab Qihoo 360 researchers.

“some major updates we see:

  • Added exploits for AVTECH devices (webcam, webcam), CISCO Linksys router, JAWS/1.0 web server, Apache CouchDB, OrientDB; with the two devices mentioned in the original report, HNS currently supports 7 exploiting methods all together
  • Hard-coded P2P node addresses have been increased to 171;
  • In addition, we observed that the HNS botnet adds a cpuminer mining program, it is not functioning properly yet.
  • In particular, with the added support of OrientDB and CouchDB database servers, HNS is no longer just an IoT botnet, but a cross-platform botnet now.”
According to Netlab, the Hide ‘N Seek (HNS) botnet now targets the following types of devices using  the following exploits:
  1. TPLink-Routers RCE
  2. Netgear RCE
  3. (new) AVTECH RCE
  4. (new) CISCO Linksys Router RCE
  5. (new) JAW/1.0 RCE
  6. (new) OrientDB RCE
  7. (new) CouchDB RCE

Experts pointed out that the HNS has also started dropping a miner payload, but the good news is that it is not functioning properly yet.

Further technical details on the Hide ‘N Seek botnet, including the IoCs, are reported in the analysispublished by the Netlab team.

To read the original article

https://securityaffairs.co/wordpress/74256/malware/hns-botnet-improvement.html

Happy
Happy
0 %
Sad
Sad
0 %
Excited
Excited
0 %
Sleepy
Sleepy
0 %
Angry
Angry
0 %
Surprise
Surprise
100 %

Average Rating

5 Star
0%
4 Star
0%
3 Star
0%
2 Star
0%
1 Star
0%

Laisser un commentaire

Next Post

Smart Speaker Banking Is Coming to a Device Near You, But Is It Secure?

Smart speaker Banking Is coming to a device near you, Which are the cyber risks associated with their use? Are they a new opportunity for attackers? The popularity of voice-activated smart speakers like the Google Home and Amazon Echo has made brands, and industries realize there’s adequate demand for introducing technology that lets people […]