HNS (Hide-N-Seek) is a Botnet that was discovered earlier this year, it has now started infecting Internet of Things devices, it is also known to target cross-platform database solutions. The latest version seems to have made significant improvements, one such example would seem it is capable of surviving device reboots.
The research team at Netlab and Qihoo 360 said that the HNS has started expanding beyond the scope of routers and DVRs and is currently operating to exploit database systems too/
The Botnet can utilise the following exploits:
- TP-Link-Routers RCE
- Netgear RCE
- (new) AVTECH RCE
- (new) CISCO Linksys Router RCE
- (new) JAW/1.0 RCE
- (new) OrientDB RCE
- (new) CouchDB RCE
The HNS botnet utilises greater processing power than before since it now scans the following ports for potential exploitation:
23 Telnet
80 HTTP Web Service
2480 OrientDB
5984 CouchDB
8080 HTTP Web Service
… it has also been known to scan for other random ports
HNS is easy to spot since it is the second most prevalent botnet after Hajime. Most of these botnets are trying to infect OrientDB servers.
Here is the list of services that are affected:
- Added exploits for AVTECH devices (webcam, webcam), CISCO Linksys router, JAWS/1.0 web server, Apache CouchDB, OrientDB; with the two devices mentioned in the original report, HNS currently supports 7 exploiting methods altogether
- Hard-coded P2P node addresses have been increased to 171;
- In addition, we observed that the HNS botnet adds a cpuminer mining program, it is not functioning properly yet.
- In particular, with the added support of OrientDB and CouchDB database servers, HNS is no longer just an IoT botnet, but a cross-platform botnet now.