Hide ‘N Seek: From Home Routers to Smart Home Insecurities

Experts have been warning consumers for years about vulnerabilities in home automation solutions, and Hide ‘N Seek (HNS) might be the first in-the-wild malware to actively target these vulnerabilities. It is expected that the growth of Internet of Things (IoT) devices will reach 20.4 billion by 2020, and a growing segment of these devices are designed for home and business automation. While these devices make people’s lives much easier, they are also good news for cyber criminals since more connected IoT devices means more potential vulnerabilities.

HNS is an IoT botnet which communicates in a complex and decentralized manner (using custom-built peer-to-peer communication) in order to implement a variety of  malicious routines. FortiGuard Labs has been monitoring this botnet malware carefully since it was first discovered at the start of the year. While it initially targeted routers, IP cameras, and DVRs, HNS now also targets cross-platform database solutions and smart home devices.

How did HNS evolve to this point? In large part, it is due to the open source Mirai code that is available to malware developers. Getting its inspiration from, as well as copying some code from Mirai, HNS has created a new identity for itself. In this report we will take a look at HNS evolution and how it was able to add exploits on a regular basis over the past several months without making headlines.

Configuration table

In our previous HNS blog, we mentioned how the decryption of the configuration table works and how it is similar to Mirai. By using IDA python we were able to easily decrypt the configuration table and gain a better understanding on how the bot works. We decrypted HNS configuration table samples from January 2018, when it first was spotted, up to the latest version we most recently captured.

Let’s take a look at the three examples below of different HNS samples and their configuration table entries. We can easily spot the difference between them simply by the number of entries each one has. We are particularly interested in the exploits that each version is using. The first variant, as shown below, has a configuration made up of 60 entries that includes 2 exploits, the second has 81 entries and 6 exploits, while the most recent now has 110 entries and 9 exploits. 

Also noticeable in the configuration is the /bin/busybox ~~~~~~~~ which can also serve as a signature as it is unique to HNS. This is similar to Mirai, which was given the name because of the strings /bin/busybox MIRAI and MIRAI: applet not found, which are commands to determine if it successfully brute-forced its way into a targeted IoT device.

Timeline

Below is the timeline when the exploits (green) and functions (blue) were added together with the Xor keys (orange) that were used to decrypt the configuration table.

Some interesting findings:

• The first HNS sample only used 2 exploits
• March-April, HNS samples were observed changing Xor keys almost every week. Constantly changing these keys this could help prevent the automated decryption of its configuration table
• HNS samples starting from April have been packed by UPX
• HNS samples add persistence and can survive a reboot
• From April onwards, HNS has been gradually adding exploits to its arsenal one at a time. HNS authors are careful to make sure that the version released is stable enough before embedding more exploits
• Each time a new exploit is added the Xor key for the configuration table is also changed
• The latest added exploit to be added is HomeMatic Zentrale CCU2 RCE
• In less than a week after the PoC was published of the Apache CouchDB RCE and HomeMatic Zentrale CCU2 RCE vulnerabilities, HNS was quickly to implement them into its code
• The latest HNS sample utilizes 9 exploits

The latest device to be targeted by HNS is from Homematic, a provider of Smart Home devices from the German manufacturer eQ-3. The targeted device is the HomeMatic Zentrale CCU2. This is the central element of the HomeMatic system that provides a wide range of control, monitoring, and configuration options for all HomeMatic devices. This may be the moment when malware starts hacking your house.

It is also probably relevant to note that currently, we have not observed any capabilities found in HNS that take advantage of “smart” device features. This means the behaviour of HNS in an infected HomeMatic device is the same as in an infected regular router or IP camera and doesn’t yet target other capabilities.

Another known exploit that wasn’t reported as being used by HNS is the Belkin NetCam RCE exploit. Below is a summary of all the exploits used and its PoC published date.

Table 1. Exploit summary

Since its inception, HNS has already had eight updates including the integration of new functions and exploits.

Conclusion

HNS has been aggressively adding exploits and targeting more platforms and devices to increase its propagation scope. Utilizing freshly released PoC exploits to its arsenal increases the chance for it to be the first to infect these vulnerable devices.

With this new understanding of this malware’s recent behaviour we expect the next alterations to include more functions as well as the usage of publicly available exploits.

As always, by using the data we have collected from this analysis we here at FortiGuard Labs will continue to monitor this botnet and its future developments.

Thanks to our colleaguse Amir Zali and Wayne Low for providing the IPS signatures.

-= FortiGuard Lion Team =-

Solution

Attacks mentioned are covered by the following IPS signatures:

TP-Link.Wireless.Router.Backdoor

Belkin.NetCam.goform.Command.Injection

NETGEAR.DGN1000.CGI.Unauthenticated.Remote.Code.Execution

Avtech.Devices.HTTP.Request.Parsing.Multiple.Vulnerabilities

Linksys.Eseries.Router.Remote.Command.Execution

JAWS.DVR.CCTV.Shell.Unauthenticated.Command.Execution

OrientDB.Remote.Code.Execution

OrientDB.fetchplan.Query.Code.Execution

Apache.CouchDB.JSON.Remote.Privilege.Escalation

Apache.CouchDB.Config.Command.Execution

HomeMatic.CCU2.CGI.Remote.Code.Execution

IOCs

6058f5dacd3e9ca31ca9e684627b0cd89633ea03a9c6b1a38489a93042ddcc2a                 Linux/Mirai.BD!tr

a19c23e0c2b7a20d19a32f2eecd2c69839a0d64badc37ca063d91ce9e59ac183                  Linux/Mirai.BD!tr

26929a76f099abde1bdda2aa193f633763c22f261588aadc63c54606e42d00af Linux/Mirai.CK!tr

87b916c2de79ffa2099707e6510f48b16bd762b8335f656e86aab2f5ebb388d2                  Linux/Mirai.CK!tr

16b888a68a957709900a341650c66b58778e397671b04eed3afa2ee264480f37               Linux/Mirai.CK!tr

b24a197d27b03f5592d3c92b2fd412e56c71c1f3975b2b883a90ef9ff6bb876a Linux/Mirai.CK!tr

76b632fe10340c5254a01ca8caa4861c698cf9df10eefc869aaefea88649b2a5     Linux/Mirai.BD!tr

4ffef90f5fb0ae23733b623694180d30e3fd8e10fe9bc9cb844348eda05003e3    Linux/HNS.HZ!tr