HNS Evolves from IoT to Cross-Platform Botnet

The famous Hide ‘N Seek botnet, first discovered in January this year, has expanded from infecting Internet of Things (IoT) devices and is now also targeting cross-platform database solutions as well.

Following this news, Sean Newman, Director, Corero Network Security, said:

“As the HNS botnet appears to be versatile in its objectives, defences will vary. If the owner of the compromised device is the target, then attacks resulting in data exfiltration are a likely outcome, which will require tools designed to prevent advanced targeted attacks, such as those equipped with network and device behavioural detection mechanisms.

“Of course, the compromised devices could be leverage for increasingly popular crypto-mining activities, in which case, there is no attack to mitigate, as such, only dealing with the resulting performance impact on the compromised devices.

“And, it’s still probable that this botnet could be leveraged for DDoS attacks, in which case, it’s the targets which need the tools to defend from the attack, with the owners of the compromised devices seeing little, if any, impact.

“Attackers are always looking for the next opportunity, in order to generate sustainable income, whilst remaining one step ahead of the defenders.  As hackers now have a significant focus on reaping the rewards possible with crypto-mining, their attentions have turned to recruiting devices for that purpose, to avoid the significant hardware and power costs involved in doing this legitimately. So-called crypto-jacking enables them to use the collective resource of devices they can compromise on the open internet.  However, mining requires a huge amount of processing power, which is a challenge for most IoT devices, even en masse, which could explain the new HSN focus on OrientDB and CouchDB, as it’s almost certain that platforms running them will have significantly more compute power than your average IoT device.

“The use of these additional ports could make it easier to detect the botnet, especially in networks where OrientDB and/or CouchDB are not utilised, as traffic on these ports will not be expected.  However, the addition of the built-in 171 static peer IP addresses should make it even easier to detect for anyone monitoring traffic sources and destinations in/out of their network.  And, in many cases, it should be a straightforward process of just blocking traffic to/from these addresses at the network perimeter.”