Bitdefender researchers discovered a new botnet, dubbed Hide 'N Seek (HNS), that uses a decentralized peer-to-peer (P2P) architecture to spread to other vulnerable devices and increase its footprint. Each bot in HNS contains a list of IPs of other infected bots and this list can be updated in real time as new devices are added or removed. HNS bots can also relay instructions from one another and receive and execute several different commands such as "data exfiltration, code execution, and interference with a device's operation," according to Bitdefender. At the time of writing, HNS appears to primarily target IP cameras and spreads using a worm-like mechanism that generates a random list of IP addresses to identify potential targets. It then conducts brute-force attacks against open Telnet ports to gain access to those targets. Devices that appear to play a large role in the botnets creation include Focus H&S IP cameras.
As HNS malware is unable to maintain persistence, rebooting impacted devices will clear the malware infection and remove them from the botnet. However, researchers tracking this botnet have seen it grow from 12 devices to 24,000 devices from January 23 to January 25, 2018.
The NJCCIC recommends users and administrators of vulnerable or impacted Focus H&S IP cameras reboot the devices to ensure the infection has been cleared, disable Telnet access, proactively block any unused and unnecessary ports, and replace weak and default passwords with lengthy and complex passwords.
Reporting and Technical Details:
- January 2018: New Hide ‘N Seek IoT Botnet Using Custom-Built Peer-to-Peer Communication Spotted in the Wild (Bitdefender)