Experts have been warning consumers for years about vulnerabilities in home automation solutions, and Hide ‘N Seek (HNS) might be the first in-the-wild malware to actively target these vulnerabilities. It is expected that the growth of Internet of Things (IoT) devices will reach 20.4 billion by 2020, and a growing segment of these devices are designed for home and business automation. While these devices make people’s lives much easier, they are also good news for cyber criminals since more connected IoT devices means more potential vulnerabilities.
HNS is an IoT botnet which communicates in a complex and decentralized manner (using custom-built peer-to-peer communication) in order to implement a variety of malicious routines. FortiGuard Labs has been monitoring this botnet malware carefully since it was first discovered at the start of the year. While it initially targeted routers, IP cameras, and DVRs, HNS now also targets cross-platform database solutions and smart home devices.
How did HNS evolve to this point? In large part, it is due to the open source Mirai code that is available to malware developers. Getting its inspiration from, as well as copying some code from Mirai, HNS has created a new identity for itself. In this report we will take a look at HNS evolution and how it was able to add exploits on a regular basis over the past several months without making headlines.
In our previous HNS blog, we mentioned how the decryption of the configuration table works and how it is similar to Mirai. By using IDA python we were able to easily decrypt the configuration table and gain a better understanding on how the bot works. We decrypted HNS configuration table samples from January 2018, when it first was spotted, up to the latest version we most recently captured.
Let’s take a look at the three examples below of different HNS samples and their configuration table entries. We can easily spot the difference between them simply by the number of entries each one has. We are particularly interested in the exploits that each version is using. The first variant, as shown below, has a configuration made up of 60 entries that includes 2 exploits, the second has 81 entries and 6 exploits, while the most recent now has 110 entries and 9 exploits.
Also noticeable in the configuration is the /bin/busybox ~~~~~~~~ which can also serve as a signature as it is unique to HNS. This is similar to Mirai, which was given the name because of the strings /bin/busybox MIRAI and MIRAI: applet not found, which are commands to determine if it successfully brute-forced its way into a targeted IoT device.
Below is the timeline when the exploits (green) and functions (blue) were added together with the Xor keys (orange) that were used to decrypt the configuration table.
Some interesting findings:
The latest device to be targeted by HNS is from Homematic, a provider of Smart Home devices from the German manufacturer eQ-3. The targeted device is the HomeMatic Zentrale CCU2. This is the central element of the HomeMatic system that provides a wide range of control, monitoring, and configuration options for all HomeMatic devices. This may be the moment when malware starts hacking your house.
It is also probably relevant to note that currently, we have not observed any capabilities found in HNS that take advantage of “smart” device features. This means the behaviour of HNS in an infected HomeMatic device is the same as in an infected regular router or IP camera and doesn’t yet target other capabilities.
Another known exploit that wasn’t reported as being used by HNS is the Belkin NetCam RCE exploit. Below is a summary of all the exploits used and its PoC published date.
Poc Published date
Table 1. Exploit summary
Since its inception, HNS has already had eight updates including the integration of new functions and exploits.
HNS has been aggressively adding exploits and targeting more platforms and devices to increase its propagation scope. Utilizing freshly released PoC exploits to its arsenal increases the chance for it to be the first to infect these vulnerable devices.
With this new understanding of this malware’s recent behaviour we expect the next alterations to include more functions as well as the usage of publicly available exploits.
As always, by using the data we have collected from this analysis we here at FortiGuard Labs will continue to monitor this botnet and its future developments.
Thanks to our colleaguse Amir Zali and Wayne Low for providing the IPS signatures.
-= FortiGuard Lion Team =-
Attacks mentioned are covered by the following IPS signatures: