Tuesday, July 23, 2024
EHA

HNS IoT Botnet Scanning & Exploits the Routers to Compromise the Victims Networks

HNS(Hide & Seek) IoT botnet attack victims network using router-based vulnerabilities such as  CVE-2016-10401 to propagate malicious code and steal the victim’s sensitive information.

HNS communication established through peer to peer network which one of the rare mechanism which is used by HNS as a second IoT Botnet after Hajime that is first IoT botnet that uses P2P communication.

Its very difficult task to take down the P2P network and there is a lot of updates has been implemented in HNS Botnet over the past months.

An updated version of HNS contains exploits for AVTECH devices (webcam, webcam), CISCO Linksys router, JAWS/1.0 web server, Apache CouchDB, OrientDB; with the two devices.

Also, HNS added the cpuminer mining program and also added support of OrientDB and CouchDB database.

So HNS Bonet is not only targeting the IoT devices but also it working against cross-platform and HNS presently supports 7 exploiting methods.

Also to avoid botnet attacks Enterprise Networks should choose the best DDoS Attack prevention services to ensure the DDoS attack protection and prevent their network.

Also Read:   Protect website from future attacks Also Check your Companies DDOS Attack Downtime Cost.

HNS Botnet Sample Analysis

An Initial stage of attack HNS botnet start scanning the targetted victims network and it borrows the code from powerful Mirai Botnet.

HNS  scanning for open ports including  TCP port 80/8080/2480/5984/23 and other random ports. According to 360 netlab, After implant the relevant ports the HNS will be utilizing the following exploits.

  1. TP-Link-Routers RCE
  2. Netgear RCE
  3. new: AVTECH RCE
  4. new: CISCO Linksys Router RCE
  5. new: JAW/1.0 RCE
  6. new: OrientDB RCE
  7. new: CouchDB RCE

Apart from this HNS node using 3 methods to contact to P2P, first one is from a hard-coded built-in list, second is from command-line args third one is from other P2P peers.

Check-in Process started with no Command line arguments then  HNS node will send lots of UPD check-in packets.

The Interaction Process in between HNS nodes with many characteristics to perform Peer to Peers interaction successfully and take down the victims network using various powerful router based exploits.

It using 171 hardcoded P2P peer address and the list is here.

An organization should always ensure and focus on maximum Protection level for enterprise networks and you can try a free trial to Stop DDoS Attack in 10 Seconds.

IoC

Malware Sample md5

c1816d141321276cd4621abcd280ee40    #hns x86
0770ff1a6e90eb5d083c16452e45abd5    #hns arm
30ebaaeb61a4ecae3ade7d1d4e5c7adb    #hns_miner 
Website

Latest articles

Beware Of Dating Apps Exposing Your Personal And Location Details To Cyber Criminals

Threat actors often attack dating apps to steal personal data, including sensitive data and...

Hackers Abusing Google Cloud For Phishing

Threat actors often attack cloud services for several illicit purposes. Google Cloud is targeted...

Two Russian Nationals Charged for Cyber Attacks against U.S. Critical Infrastructure

The United States has designated Yuliya Vladimirovna Pankratova and Denis Olegovich Degtyarenko, two members...

Threat Actors Taking Advantage of CrowdStrike BSOD Bug to Deliver Malware

Threat actors have been found exploiting a recently discovered bug in CrowdStrike's software that...

NCA Shut’s Down the Most Popular “digitalstress” DDoS-for-hire Service

The National Crime Agency (NCA) has successfully infiltrated and dismantled one of the most...

Play Ransomware’s Linux Variant Attacking VMware ESXi Servers

A new Linux variant of Play ransomware targets VMware ESXi environments, which encrypts virtual...

SonicOS IPSec VPN Vulnerability Let Attackers Cause Dos Condition

SonicWall has disclosed a critical heap-based buffer overflow vulnerability in its SonicOS IPSec VPN....
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles