Hide-N-Seek IoT Botnet Starts Infecting Database Servers

Hide ‘N Seek (HNS), an IoT botnet known for infecting home routers, IP cameras and digital video recorders, has recently started compromising NoSQL database servers.

HNS was discovered by researchers from antivirus firm Bitdefender in January and stood out among other IoT threats due to its use of peer-to-peer communications and its attempt to gain persistence on infected devices.

Most IoT devices have a read-only file system and just a writable configuration file. Because of this, malware programs that infect such devices are wiped at reboot and need to be reinstalled by attackers.

HNS was the first IoT botnet to attempt persistence, but it was using a rudimentary technique that likely didn’t work on a lot of devices. By comparison, the recently discovered VPNFilter malware uses a much more reliable method of surviving reboots, making it more dangerous and sophisticated.

That said, HNS’ creators are continuously improving their malware. According to new research by Qihoo 360’s Netlab team, the botnet has recently added new remote code execution exploits to its arsenal for AVTECH webcams, Linksys routers, the Java AUGUR Web Server (JAWS), Apache CouchDB and OrientDB.

“In particular, with the added support of OrientDB and CouchDB database servers, HNS is no longer just an IoT botnet, but a cross-platform botnet now,” the Netlab researchers said in a blog post.

The botnet scans IP addresses on five primary ports: 80 (HTTP), 8080 (HTTP), 2480 (OrientDB), 5984 (CouchDB) and 23 (Telnet). Both OrientDB and CouchDB are NoSQL-style database stores and the reason for infecting these servers might be cryptocurrency mining. The Netlab researchers observed a cpuminer component that’s still in development.

The botnet has also gained a third method for discovering P2P peers, in addition to the two it was using when it was discovered by Bitdefender. The malware now comes with a hardcoded list of 171 peers that it will try to interact with during the initial check-in process.

For the internet scanning component that’s used to find new victims, HNS uses code borrowed from the infamous Mirai IoT botnet whose source code was leaked on the internet in 2016.

Giving its continued development, new exploit additions and P2P architecture, HNS is likely to remain a threat for some time to come.

“P2P-like botnets are hard to take down,” the Netlab researchers warned.

WordPress 4.9.7 Fixes Publicly Disclosed File Deletion Vulnerability

The WordPress team has released version 4.9.7 of the popular content management system, fixing a flaw that could allow low-privileged accounts to delete arbitrary files from web servers.

The vulnerability was publicly disclosed at the end of June by researchers Slavco Mihajloski and Karim El Ouerghemmi after they privately reported it to the WordPress developers seven months ago, yet it remained unfixed.

The reason for the lack of action from the WordPress team for such a long time might be that, to exploit the vulnerability, attackers need access to an account with the permission to upload media files. That’s not necessarily difficult to achieve for attackers, especially on news sites or blogs that have multiple users with the Author privilege who could be targeted.

“Exploiting the vulnerability grants an attacker the capability to delete any file of the WordPress installation (+ any other file on the server on which the PHP process user has the proper permissions to delete),” the two researchers said in their original report. “Besides the possibility of erasing the whole WordPress installation, which can have disastrous consequences if no current backup is available, an attacker can make use of the capability of arbitrary file deletion to circumvent some security measures and to execute arbitrary code on the webserver.”

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin

One thought on “Hide-N-Seek IoT Botnet Starts Infecting Database Servers

Comments are closed.