The Hide ‘N Seek (HNS) Internet of Things (IoT) botnet, which initially targeted home routers, IP cameras, and video recorders, has been expanded by cybercriminals to target two NoSQL database servers, making it a cross-platform botnet.
Discovered in January by researchers from the antivirus firm Bitdefender, Hide ‘N Seek uses custom-built peer-to-peer (P2P) communications techniques to exploit victims and to also build its infrastructure, according to company researchers.
HNS initially targeted IP addresses on ports 80 (HTTP), 8080 (HTTP) and 23 (Telnet), but was tweaked to include remote code execution exploits to target NoSQL databases Apache CouchDB (port 5984) and OrientDB (port 2480) quite possibly for cryptocurrency mining, according to security researchers at Netlab.
NoSQL databases are increasingly being used for big data and real-time web applications. Government agencies are more likely to deploy enterprise NoSQL databases such as Amazon’s DynamoDB, MongoLab’s MongoDB, or Mark Logic’s enterprise NoSQL. But the fact that HNS is increasing its attack surface should be cause for concern.
What type of impact could HNS have on government agencies? That depends on whether agencies have IP cameras and how they are configured. It also depends if they are deploying open source NoSQL databases such as Apache CouchDB or OrientDB, said Justin Jett, director of audit and compliance for Plixer, a cybersecurity company that uses network traffic analytics to help organizations detect cyberthreats.
The HNS IoT botnet initially targeted Cisco Linksys routers, which are consumer grade and unlikely to be deployed by government agencies. “But if they have cameras or other devices connected to their networks that are IoT, those could be problematic,” Jett said.
As the Bitdefender researchers noted, HNS uses advanced P2P communication techniques to infect devices, which also makes it difficult to track.
Another complication is that HNS is not eradicated by rebooting an infected device, Jett noted. Traditionally, a restart of a compromised device will eradicate the IoT malware because it is usually written to memory. When a user powers down, the buffer of that cache is cleared, and the malware is removed. However, HNS has ways of surviving through that process by writing to file systems, Jett explained.
“That makes it a bit more complex, but one could do a factory restore of an IoT device, and it is reported that should resolve the issue,” he noted.
However, HNS is a worm, so if an attacker gains access to a device, the full gamut of nefarious activity can occur including changing system configurations and the deletion of records. Also, depending on how HNS is programmed, it can reach out to a command and control system to download files or insert other malware.
How Agencies Can Guard Against Hide ‘N Seek
To protect networks from HNS, security teams should make sure IoT devices are deployed with the least amount of privilege. For instance, an IoT camera’s role is extremely narrow. It records video and audio and sends it to some service or an internal appliance on the network. But it should not be reaching out to any other devices at all, Jett explained. There would be no reason for it to communicate with a computer or server that is not an appliance where the video is going.
“If you are seeing that type of traffic, those are certainly indicators that this IoT device has been infected. That gives you the foresight to [stop] the infection taking place beyond that one device.”
Devices should be deployed in such a way that they are only communicating with the required services. All other traffic should be blocked by firewalls, but those firewalls also must be properly configured. Improperly configured controls are a common way for malware to gain access onto networked devices.
Moreover, organizations that have databases such as the Apache CouchDB and the OrientDB should be monitoring network traffic communicating across those databases’ ports. For example, it is unlikely a computer or laptop in a marketing department would be communicating across ports 2480 and 5984 to the databases directly. Maybe the systems would communicate with web services that use the database, but that is a different port, Jett noted.
“If you are seeing direct traffic there, that is a problem,” he said.
The bottom line is IoT devices will continue to be the target for malicious actors. These devices should be deployed on the network with a very narrow set of tasks and connected to an even smaller set of systems on the network. Organizations should deploy the devices in a least-privileged way to reduce the attack surface when devices become compromised.