Tuesday, October 15, 2024
HomeBotnetHNS IoT Botnet Compromised More than 14k Devices that Spreads from Asia...

HNS IoT Botnet Compromised More than 14k Devices that Spreads from Asia to the United States

Published on

Malware protection

A new IoT Botnet dubbed HNS is growing phenomenally and spreads from Asia to the United States.The HNS IoT Botnet features a worm-like mechanism and embeds numerous commands such as data exfiltration, code execution and interference with a device’s operation.

The Bot was uncovered by Bitdefender Security researchers, they first spotted the bot by Jan. 10 and then it faded up and comes back significantly in more improved form by Jan. 20.

It utilizes the same exploit(CVE-2016-10401) as Reaper done and other vulnerabilities in the networking components.

- Advertisement - SIEM as a Service

The bot growing enormously and geographically distributed, initially it started as 12-device network and now it counts more than 14k.

HNS IoT Botnet
Source:’ Bitdefender
Much like anything nowadays, even IoT can go under attack by the individuals who know how to tackle its potential for malice. So it perhaps didn’t come as any big surprise that back in October 2016, Mirai (Japanese for “the future”), a malware surfaced attacking IoT devices such as IP cameras and home routers turning them into “bots”.

HNS IoT Botnet Operation

HNS bot has a worm-like spreading mechanism and randomly generates victim IP list. Later it initiates SYN connection to host and established communication if it get’s response from destination ports (23 2323, 80, 8080).

Researchers said "Once the connection has been established, the bot looks
for a specific banner (“buildroot login:”) presented by the victim. If it
gets this login banner, it attempts to log in with a set of predefined
credentials. If that fails, the botnet attempts a dictionary attack using
a hardcoded list".

Once the Bot has a new victim it identifies the target victim and select attack method suitable for the device.If the victims are through LAN and not over the Internet it setup TFTP server to download the malware and if the victim over the Internet it attempts a remote code delivery.

All the attack techniques are preconfigured and the bot decides attack vector based on the victim.It also has a custom-built p2p communication mechanism. Bitdefender published a technical report with communication mechanism and supported commands.

Mitigations – HNS IoT Botnet

The bot is not a persistent one, so a reboot could clean the device.

Hashes

efcd7a5fe59ca8223cd282bfe501a2f92b18312c
05674f779ebf9dc6b0176d40ff198e94f0b21ff9

As with any new technology, IoT promises to be the future of the Internet, bringing better connectivity and ease of use of the devices we use, but these botnet attacks show, an equal amount of stress must be placed on security.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Splunk Enterprise Vulnerabilities let Attackers Execute Remote Code

Splunk has disclosed multiple vulnerabilities affecting its Enterprise product, which could allow attackers to...

OilRig Hackers Exploiting Microsoft Exchange Server To Steal Login Details

Earth Simnavaz, an Iranian state-sponsored cyber espionage group, has recently intensified its attacks on...

CoreWarrior Malware Attacking Windows Machines From Dozens Of IP Address

Researchers recently analyzed a CoreWarrior malware sample, which spreads aggressively by creating numerous copies...

TrickMo Malware Targets Android Devices to Steal Unlock Patterns and PINs

The recent discovery of the TrickMo Banking Trojan variant by Cleafy has prompted further...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

GorillaBot Emerged As King For DDoS Attacks With 300,000+ Commands

The newly emerged Gorilla Botnet has exhibited unprecedented activity, launching over 300,000 DDoS attacks...

Flax Typhoon’s Botnet Actively Exploiting 66 Vulnerabilities In Various Devices

The Five Eyes agencies recently released a joint cybersecurity advisory detailing a new botnet,...

Researchers Detailed Raptor Train Botnet That 60,000+ Compromised Devices

Researchers discovered a large, Chinese state-sponsored IoT botnet, "Raptor Train," that compromised over 200,000...