Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Hide ‘N Seek IoT Botnet Can Infect Database Servers

The

The Hide ‘N Seek Internet of Things (IoT) botnet has recently added support for more devices and can also infect OrientDB and CouchDB database servers, Qihoo 360’s NetLab researchers say.

When first detailed in January this year, the botnet was evolving and spreading rapidly, ensnaring tens of thousands of devices within days. Targeting numerous vulnerabilities, the malware was capable of data exfiltration, code execution, and interference with the device operation.

By early May, the malware had infected over 90,000 devices, added code to target more vulnerabilities, and also adopted persistence, being able to survive reboots. The persistence module, however, would only kick in if the infection was performed over the Telnet service.

A peer-to-peer (P2P) botnet, Hide ‘N Seek has continued to evolve, and is currently targeting even more vulnerabilities than before. The botnet now also includes exploits for AVTECH devices (webcam) and Cisco Linksys routers, Qihoo 360’s NetLab reveals.

Furthermore, the malware now includes 171 hardcoded P2P node addresses, has added a crypto-currency mining program to its code, and has also evolved into a cross-platform threat, with the addition of support for OrientDB and CouchDB database servers.

The botnet’s spreading mechanism includes a scanner borrowed from Mirai, targeting fixed TCP port 80/8080/2480/5984/23 and other random ports.

For infection, the malware attempts remote code execution using exploits targeting TPLink Routers, Netgear routers (also targeted by Reaper botnet and Mirai variant Wicked), AVTECH cameras, Cisco Linksys Routers, JAW/1.0, OrientDB, and Apache CouchDB.

The Hide ‘N Seek bots attempt to contact other P2P peers using one of three methods: a hard-coded built-in list of 171 peer addresses, command-line arguments, and via other P2P peers. The node would also interact with the 171 peers for check-in purposes and during the follow-up interaction process.

Advertisement. Scroll to continue reading.

“When started with no command-line args, HNS node will send lots of UPD check-in packets. IP addresses of these packets are randomized, while some others are set based on the build-in list,” the NetLab researchers explain.

Due to its peer-to-peer architecture, the botnet is rather difficult to shut down. Furthermore, the constant stream of updates received over the past half a year suggests that Hide ‘N Seek will continue to evolve, likely broadening its capabilities and target list.

Related: Hide ‘N Seek IoT Botnet Can Survive Device Reboots

Related: “Wicked” Variant of Mirai Botnet Emerges

Related: ‘DoubleDoor’ IoT Botnet Uses Two Backdoor Exploits

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

Kelly Shortridge has been promoted to VP of Security Products at Fastly.

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

More People On The Move

Expert Insights