Hide 'N Seek IoT Botnet Can Infect Database Servers
18.7.2018 securityweek BotNet
The Hide 'N Seek Internet of Things (IoT) botnet has recently added support for more devices and can also infect OrientDB and CouchDB database servers, Qihoo 360's NetLab researchers say.
When first detailed in January this year, the botnet was evolving and spreading rapidly, ensnaring tens of thousands of devices within days. Targeting numerous vulnerabilities, the malware was capable of data exfiltration, code execution, and interference with the device operation.
By early May, the malware had infected over 90,000 devices, added code to target more vulnerabilities, and also adopted persistence, being able to survive reboots. The persistence module, however, would only kick in if the infection was performed over the Telnet service.
A peer-to-peer (P2P) botnet, Hide 'N Seek has continued to evolve, and is currently targeting even more vulnerabilities than before. The botnet now also includes exploits for AVTECH devices (webcam) and Cisco Linksys routers, Qihoo 360's NetLab reveals.
Furthermore, the malware now includes 171 hardcoded P2P node addresses, has added a crypto-currency mining program to its code, and has also evolved into a cross-platform threat, with the addition of support for OrientDB and CouchDB database servers.
The botnet’s spreading mechanism includes a scanner borrowed from Mirai, targeting fixed TCP port 80/8080/2480/5984/23 and other random ports.
For infection, the malware attempts remote code execution using exploits targeting TPLink Routers, Netgear routers (also targeted by Reaper botnet and Mirai variant Wicked), AVTECH cameras, Cisco Linksys Routers, JAW/1.0, OrientDB, and Apache CouchDB.
The Hide 'N Seek bots attempt to contact other P2P peers using one of three methods: a hard-coded built-in list of 171 peer addresses, command-line arguments, and via other P2P peers. The node would also interact with the 171 peers for check-in purposes and during the follow-up interaction process.
“When started with no command-line args, HNS node will send lots of UPD check-in packets. IP addresses of these packets are randomized, while some others are set based on the build-in list,” the NetLab researchers explain.
Due to its peer-to-peer architecture, the botnet is rather difficult to shut down. Furthermore, the constant stream of updates received over the past half a year suggests that Hide 'N Seek will continue to evolve, likely broadening its capabilities and target list.