Overview
A new emerging botnet has been spotted recently that
uses custom-built peer-to-peer communication to exploit victims, ensnare
new IoT devices and continue building its infrastructure. Dubbed Hide N'
Seek or HNS, the bot was first spotted on 10 January before it
disappeared for a few days. However, it returned 10 days later on 20 January in
a new and significantly improved form
How IT Works?
The HNS botnet communicates in a complex and decentralized
manner and uses multiple anti-tampering techniques to prevent a third party
from hijacking/poisoning it. The bot can perform web exploitation
against a series of devices via the same exploit as Reaper (CVE-2016-10401
and other vulnerabilities against networking equipment).
HNS can also carry out multiple commands including data
exfiltration, code execution and interference with a device's operation.
Featuring a worm-like mechanism that can randomly generate a list of
IP addresses to get potential targets, the bot initiates a raw socket SYN
connection to every device listed and tries to establish a connection.
Once successful, the bot looks for the "buildroot
login" banner presented by the device and tries to login using a set
of predefined credentials. If it can't, it attempts to brute force its way
through using a dictionary attack that uses a hardcoded list to crack the
device's passcode. After it establishes a new session with the infected device,
the bot attempts to identify the target device and figure out how best to
compromise it.
Global Impact
The botnet now counts more than 20K+ devices geographically
distributed as per the heatmap below. What initially started as a 12-device
network has become a phenomenon that spreads from Asia to the United States
However, Like other IoT bots, the newly discovered HNS
bot cannot achieve persistence, and a reboot would bring the compromised
device back to its clean state. It is the second known IoT botnet to date,
after the notorious Hajime botnet, that has a decentralized, peer-to-peer
architecture. However, if in the case of Hajime, the p2p functionality was
based on the BitTorrent protocol, here it is a custom-built p2p
communication mechanism.
Indicators Of Compromise
(IOC’s)
HASHES
- efcd7a5fe59ca8223cd282bfe501a2f92b18312c
- 05674f779ebf9dc6b0176d40ff198e94f0b21ff9
No comments:
Post a Comment