Hide 'N Seek IoT Botnet Can Infect Database Servers
Ionut Arghire | July 10, 2018
The Hide 'N Seek Internet of Things (IoT) botnet has recently added support for more devices and can also infect OrientDB and CouchDB database servers, Qihoo 360's NetLab researchers say. When first detailed in January this year, the botnet was evolving and spreading rapidly, ensnaring tens of thousands of devices within days. Targeting numerous vulnerabilities, the malware was capable of data exfiltration, code execution, and interference with the device operation. By early May, the malware had infected over 90,000 devices, added code to target more vulnerabilities, and also adopted persistence, being able to survive reboots. The persistence module, however, would only kick in if the infection was performed over the Telnet service. A peer-to-peer (P2P) botnet, Hide 'N Seek has continued to evolve, and is currently targeting even more vulnerabilities than before. The botnet now also includes exploits for AVTECH devices (webcam) and Cisco Linksys routers, Qihoo 360's NetLab reveals. Furthermore, the malware now includes 171 hardcoded P2P node addresses, has added a crypto-currency mining program to its code, and has also evolved into a cross-platform threat, with the addition of support for OrientDB and CouchDB database servers. The botnet’s spreading mechanism includes a scanner borrowed from Mirai, targeting fixed TCP port 80/8080/2480/5984/23 and other random ports. For infection, the malware attempts remote code execution using exploits targeting TPLink Routers, Netgear routers (also targeted by Reaper botnet and Mirai variant Wicked), AVTECH cameras, Cisco Linksys Routers, JAW/1.0, OrientDB, and Apache CouchDB.