Hide N Seek botnet infects IoT devices with standard passwords

The Hide ‘N Seek botnet continues to grow by infecting vulnerable Internet or Things (IoT) devices that still use their default passwords. That’s what Avast security analysts say, SecurityIntelligence reports.

According to Avast, the botnet comes with two important functionalities. The first uses a scanner that it has borrowed from Mirai malware to reach any IP addresses of IoT devices and to exploit known vulnerabilities. If that doesn’t work, the scanner will try to use brute force to access a device. It uses a list of default passwords.

For the second functionality, the botnet uses a peer-to-peer (P2P) protocol to share information about new peers, collect files from an infected device, and distribute new binaries. Among those binaries are some for a cryptocurrency-miner for monero. Researchers at Avast think that the monero-miner was only a test and that the real intentions of the attackers are still unknown.

Hide ‘N Seek

Hide ‘N Seek was discovered by Bitdefender researchers in January this year. A few months later, Bitdefender reported that the threat had added code that exploited two new vulnerabilities. These vulnerabilities had an impact on Internet Protocol television (IPTV) camera models. This was used to scan for a larger group of vulnerable devices. The code also had to ensure a constant presence on an infected IoT product.

More improvements followed in July. 360 Netlab saw more exploits and a currently inactive mining program. Two months later, Bitdefender discovered another update, when the botnet was given the opportunity to abuse the Android Debug Bridge (ADB) about Wi-Fi functions in Android devices.

The evolution of the botnet is a major concern given the general growth in IoT threats. In the first half of 2018, Kaspersky Lab detected 121,588 malware samples targeting IoT. That is three times more than in the whole of 2017.