"Hide 'N Seek" IoT Botnet Ensnares 20,000 Devices in Days
25.1.2018 securityweek IoT BotNet
An Internet of Things (IoT) botnet featuring a worm-like spreading mechanism managed to ensnare over 20,000 devices over the course of several days, Bitdefender reports.
Dubbed Hide ‘N Seek, the botnet was first spotted on January 10, when it focused on IP cameras manufactured by a Korean company, but vanished just days after. On January 20, however, the researchers observed a new, improved variant of the malware, which has ensnared more than 20,000 devices worldwide and continues to spread quickly.
The malware was designed to exfiltrate data, execute code, and interfere with the device operation. Employing a complex and decentralized communication technique and multiple anti-tampering methods to prevent hijacking, the botnet uses the same exploit as Reaper (CVE-2016-10401 and other vulnerabilities), Bitdefender says.
The bot’s worm-like spreading mechanism consists of randomly generating a list of IP addresses to target, and then initiating a raw socket SYN connection to each host on specific destination ports (23, 2323, 80, and 8080). After establishing a connection, the bot first looks for a specific banner (“buildroot login:”) and attempts log in via predefined credentials, or launches a dictionary attack if that fails.
Next, the malware attempts to properly identify the target device and select a compromise method, such as setting up a TFTP server if the target is on the same LAN, or a remote payload delivery method if the target is on the Internet.
These pre-configured exploitation techniques are located in a digitally signed memory location to prevent tampering and can be updated remotely and propagated among infected hosts. Targeting IoT devices, the botnet can’t achieve persistence, meaning that a device reboot would clear up the infection.
After Hajime, Hide ‘N Seek becomes the second known IoT botnet to use a decentralized, peer-to-peer architecture. The difference is that, while Hajime used p2p functionality based on the BitTorrent protocol, the new botnet uses a custom-built p2p communication mechanism.
“The bot opens a random port on the victim, and adds firewall rules to allow inbound traffic for the port. It then listens for connections on the open port and only accepts the specific commands described below,” Bitdefender Senior Threat Analyst Bogdan Botezatu explains.
To prevent infiltration or poisoning attempts, the malware uses an elliptic curve key within the file used to authenticate the command for updating the memory zone where configuration settings are stored.
The bot includes support for multiple commands for configuration updates, a data exfiltration mechanism, and a scanning component (which sends to a peer valid credentials found via dictionary attack). It also supports commands to add a new peer to the list and send a peer IP as a response.
“While IoT botnets have been around for years, mainly used for DDoS attacks, the discoveries made during the investigation of the Hide and Seek bot reveal greater levels of complexity and novel capabilities such as information theft – potentially suitable for espionage or extortion. It is also worth noting that the botnet is undergoing constant redesign and rapid expansion,” Botezatu concludes.
A recent NETSCOUT Arbor report on distributed denial of service attacks has revealed that compromised IoT devices can fuel new, complex assaults. The emergence of new IoT botnets such as Masuta or Satori has proved once again the need for improved security for Internet-connected devices.
“As IoT devices become increasing popularity in our modern lives, they also become more attractive to cybercriminals. In fact, in 2017 we recorded a record number of IoT vulnerabilities, with them more than doubling since 2016,” Nadav Avital, security research team leader at Imperva, told SecurityWeek in an emailed statement.
“This [Bitdefender] research also emphasizes the need for an account takeover solution which protects all devices with a network presence. Account takeover is a big problem, however it is not something which IoT vendors provide protection for. It is therefore a good idea for organizations to deploy an external solution for security,” Avital concluded.