A botnet discovered at the start of the year and named
Hide 'N Seek (HNS) has expanded from infecting Internet of Things (IoT) devices and is now also targeting cross-platform database solutions as well.
This is an important development in the botnet's evolution, which also passed a significant milestone in May when it became the first IoT malware that was capable of
surviving device reboots.
HNS now targets more devices
Now, the Netlab research team at Qihoo 360 says that HNS has expanded beyond the scope of routers and DVRs and is now also targeting database applications running on server operating systems.
According to Netlab researchers, the botnet is now capable of infecting the following types of devices, with the following types of exploits:
- TPLink-Routers RCE
- Netgear RCE
- (new) AVTECH RCE
- (new) CISCO Linksys Router RCE
- (new) JAW/1.0 RCE
- (new) OrientDB RCE
- (new) CouchDB RCE
As a side-effect for adding more payloads, HNS is also noisier now, as it needs to scan more ports to find new hosts to infect. Experts say they've seen HNS bots initiating scans on ports:
23 Telnet
80 HTTP Web Service
2480 OrientDB
5984 CouchDB
8080 HTTP Web Service
... but also
random ports
But HNS was easy to spot anyway because it's only the second major IoT botnet besides Hajime known to use a P2P structure, so security researchers would have an easy time identifying it regardless.