Hide 'N Seek

Bitdefender researchers discovered a new botnet, dubbed Hide 'N Seek (HNS), that uses a decentralized peer-to-peer (P2P) architecture to spread to other vulnerable devices and increase its footprint. Each bot in HNS contains a list of IPs of other infected bots and this list can be updated in real time as new devices are added or removed. HNS bots can also relay instructions from one another and receive and execute several different commands such as "data exfiltration, code execution, and interference with a device's operation," according to Bitdefender. At the time of writing, HNS appears to primarily target IP cameras and spreads using a worm-like mechanism that generates a random list of IP addresses to identify potential targets. It then conducts brute-force attacks against open Telnet ports to gain access to those targets. Devices that appear to play a large role in the botnets creation include Focus H&S IP cameras.

As HNS malware is unable to maintain persistence, rebooting impacted devices will clear the malware infection and remove them from the botnet. However, researchers tracking this botnet have seen it grow from 12 devices to 24,000 devices from January 23 to January 25, 2018.

5/7/2018: In April 2018, Bitdefender researchers discovered the newest version of Hide N’ Seek (HNS), which incorporates code to target additional IPTV models by exploiting vulnerabilities in the Wansview NCS601W IP camera and AVTECH IP Camera, NVR, and DVR. If the infected device is compromised via Telnet, this version of HNS will achieve persistence by adding itself to startup and automatically running when the device OS is launched. At the time of writing, it is estimated that 90,000 devices have been impacted since January 2018, with the majority of bots located in China followed by Russia, Brazil, the United States, and Italy.

The NJCCIC recommends users and administrators of vulnerable or impacted Focus H&S IP cameras reboot the devices to ensure the infection has been cleared, disable Telnet access, proactively block any unused and unnecessary ports, and replace weak and default passwords with lengthy and complex passwords.

Reporting and Technical Details: