HNS IoT Botnet Compromised More than 14k Devices that Spreads from Asia to the United States

A new IoT Botnet dubbed HNS is growing phenomenally and spreads from Asia to the United States.The HNS IoT Botnet features a worm-like mechanism and embeds numerous commands such as data exfiltration, code execution and interference with a device’s operation.

The Bot was uncovered by Bitdefender Security researchers, they first spotted the bot by Jan. 10 and then it faded up and comes back significantly in more improved form by Jan. 20.

It utilizes the same exploit(CVE-2016-10401) as Reaper done and other vulnerabilities in the networking components.

The bot growing enormously and geographically distributed, initially it started as 12-device network and now it counts more than 14k.

Much like anything nowadays, even IoT can go under attack by the individuals who know how to tackle its potential for malice. So it perhaps didn’t come as any big surprise that back in October 2016, Mirai (Japanese for “the future”), a malware surfaced attacking IoT devices such as IP cameras and home routers turning them into “bots”.

HNS IoT Botnet Operation

HNS bot has a worm-like spreading mechanism and randomly generates victim IP list. Later it initiates SYN connection to host and established communication if it get’s response from destination ports (23 2323, 80, 8080).

Researchers said "Once the connection has been established, the bot looks
for a specific banner (“buildroot login:”) presented by the victim. If it
gets this login banner, it attempts to log in with a set of predefined
credentials. If that fails, the botnet attempts a dictionary attack using
a hardcoded list".

Once the Bot has a new victim it identifies the target victim and select attack method suitable for the device.If the victims are through LAN and not over the Internet it setup TFTP server to download the malware and if the victim over the Internet it attempts a remote code delivery.

All the attack techniques are preconfigured and the bot decides attack vector based on the victim.It also has a custom-built p2p communication mechanism. Bitdefender published a technical report with communication mechanism and supported commands.

Mitigations – HNS IoT Botnet

The bot is not a persistent one, so a reboot could clean the device.

Hashes

efcd7a5fe59ca8223cd282bfe501a2f92b18312c
05674f779ebf9dc6b0176d40ff198e94f0b21ff9

As with any new technology, IoT promises to be the future of the Internet, bringing better connectivity and ease of use of the devices we use, but these botnet attacks show, an equal amount of stress must be placed on security.