A new botnet comprised of Internet of Things (IoT) devices, dubbed the Hide ‘N’ Seek (HNS) botnet, has been identified by researchers. It was reportedly first seen in early January 2018, initially disappearing but resurfacing days later having been through further development. It then spread rapidly to infect more than 30,000 IoT devices.
HNS reportedly uses custom-built peer-to-peer communication to spread to new targets and uses the same exploit as the Reaper botnet, identified in September 2017. While previous IoT botnets have had DDoS functionality, including the Mirai botnet used to carry out significant DDoS attacks, HNS is currently believed to lack this component. However, it reportedly has the capability to carry out data exfiltration, code execution and interference with a device’s operation.
The use of custom-built decentralised architecture, along with a possible focus on espionage capabilities, represent an evolution in IoT botnets. HNS has reportedly undergone constant redevelopment, indicating the level of effort the threat actors are willing to invest in it. As with other botnets, HNS does not currently achieve persistence, and rebooting a compromised device should return it to a clean state. However, it could easily be reinfected by the same route. Changing default passwords for IoT devices is an effective mitigation against some attacks.