With the millions of devices connected to the Internet, malware finds a perfect breeding ground. The latest scare is a new IoT botnet called “Hide n’ Seek” or short “HNS”. Appearing for the first time around January 10th this year, it dissapeared quickly just to resurface in a modified version a few days later. Instead of sabotaging online infrastructure this botnets purpose seems to be a bit different. Hide n Seek is a malware designed for espionage.
More than 30.000 IoT devices are hijacked by HNS as of end of January 2018, according to bitdefender labs. The security experts also report ongoing massive development of this new IoT botnet. Most of the devices affected are located in the eastern parts of the US, midwestern europe but also brazil, india, china or parts of russia. The HNS botnet communicates in a decentralized manner and uses techniques to prevent a third party from hijacking it. Also it embeds multiple commands for data exfiltration, code execution and interference with a device’s operation.
The botnets main target seems to revolve around poorly secured IP cameras. However, HNS is not a persistant malware. Still, while a simple reboot of the device will bring it back into a clean state, it is not a guarantee that it stays clean if enhanced security measures to prevent a repeated infection are being neglected. After a deeper review of its functions, bitdefender comes to the conclusion that HNS is of greater complexity than other IoT botnets and might be suitable for espionage and extortion rather than plain DDoS attacks.
In his blog “KrebsOnSecurity” expert Brian Krebs gave a few advices for more security on IoT devices. Rule #1: Avoid connecting your devices directly to the Internet. While it might sound obvious, still too often this rule is being violated. Whenever possible, keep your devices behind a firewall. Also Krebs suggests to always change things default credentials. Especially when it comes to default passwords hijackers still find thousands of devices unprotected or with easy to guess passwords such as “admin” or “12345”. Last but not least avoid saving money on the wrong end since cheap hardware often lacks security.
Quick check your own network
If you want to perform a quick check on your own network, you can surf to censys.io and enter your own IPv4 Adress into the given search form. Click on “IPv4 Host” on the pulldown menu at the right side and have the website do a quick scan for publicly accessible ports and devices in your network. If you do not know your public address, reveal it at www.whatismyipadress.com in the first place. Please keep in mind that this quick check does not replace a thoroughly security check on your infrastructure.