February 1, 2018

Last Updated on January 18, 2024

View our free cybersecurity resources »

Security researchers at the Romanian cybersecurity and antivirus software vendor Bitdefender have spotted what looks like the most sophisticated and potentially deadly botnet yet—possibly signaling a change in how malicious botnets will now be utilized by cyber attackers.

How the Hide N Seek Botnet Works

The new threat was dubbed “Hide N Seek” or HNS because it went underground for a few days after surfacing briefly on January 10, then popped back up with a vengeance on January 20 in an improved form. HNS spreads using a worm-like methodology, generating lists of IP addresses from the Internet to use as potential targets. It then sends SYN requests to those IPs.
As services respond to the SYN requests, HNS uses a brute-force, dictionary-based password attack to gain access to the host, and then proceeds to infect the target. It can spread both over the web and via internal LANs. So once one machine has become a bot, other devices on the network can quickly fall victim as well.

A New Form of Botnet

While the way in which HNS spreads is not unusual, how it functions after infection definitely is. Normally, botnets are built to grow and grow, becoming a formidable force to be used in Distributed Denial of Service (DDoS) attacks or similar efforts. But HNS seems to be geared towards a different mission that goes even further.
For one thing, it is only the second botnet known to date (the first being Hajime) that has a decentralized, peer-to-peer architecture that was custom-built from scratch. This P2P architecture makes it harder to take down.
Rather than just rendering services useless, HNS is capable of opening UDP ports and modifying device firewall rules to allow connections to those ports. This means that it can send commands to the host—allowing the botnet to execute code, modify configurations, drop files and exfiltrate data.
In short, Hide ‘N Seek potentially poses an incredibly deadly threat to organizations worldwide. This attack can pull data out of infected systems to the source of the botnet, modify data under direction of the botnet’s handlers, or destroy data where it resides.
This level of deadly complexity is unheard-of in botnets, and none has previously posed this level of threat. Currently, HNS has infected over 32,000 bots worldwide—and that number is rising fast. Many of these devices are security cameras that are exposed to the Internet with default access credential. However, HNS has the potential to compromise the full spectrum of connected IoT devices.

How to Lower Your IoT Botnet Risk

What can you do to protect your organization from this deadly new threat? Start with IoT Security 101: get all systems off the Internet that don’t absolutely have to be on it, and change the default credentials of all devices with the strongest passwords possible. Next, restart all your devices. HNS is not persistent, and resetting the device will clear it of any issues, at least as of now. Wherever possible, disable Telnet logins and instead use SSH. Finally, install the latest firmware on all your IoT devices.
In short: 

  1. Take unnecessary connected devices off of the Internet 
  2. Restart all your devices 
  3. Disable Telnet logins where possible 
  4. Install latest firmware on your IoT devices 

Explore our IoT security assessments service offering to learn more. To get help with securing your network and IoT devices, including auditing the IoT devices currently on your network, contact Pivot Point Security. 

More HNS Botnet and IoT Security Information

Don't Get Hooked!

Phishing emails are tricky. Based on our Cyber Security Awareness Taining material, the 10 Tips for Detecting Phishing Emails infographic provides a cheatsheet of what to look for in unfamiliar emails.
Download our Detecting Phishing Infographic now!