Cyber Attack | Data Breach

Published on October 1st, 2018 📆 | 5836 Views ⚑

0

Hide and Seek (HNS) IoT Botnet targets Android devices with ADB option enabled


iSpeech.org

The latest samples of the HNS bot were designed to target Android devices having the wireless debugging feature ADB enabled.

TheĀ Hide and SeekĀ (HNS) IoT botnet was first spotted early this year, since its discovery the authors continuously evolved its code.

The IoT botnetĀ appeared in the threat landscape in January, whenĀ it was first discoveredĀ on January 10th by malware researchers from Bitdefender, then it disappeared for a few days, and appeared again a few weeks later infecting in a few days more than 20,000 devices.

The botnet initially spread infecting unsecured IoT devices, mainly IP cameras, in July securityĀ expertsĀ fromĀ Fortinet discoveredĀ that theĀ Hide ā€˜N SeekĀ botnet was improved to target vulnerabilities in home automation systems.

In the same month, experts from NetlabĀ observedĀ theĀ Hide ā€˜N Seek botnet targeting also cross-platform database solutions. It is currently the first IoT malware that implements a persistence mechanism to keep devices infected after reboots.

The latest samples of the HNS bot were designed to target Android devices having the wireless debugging feature enabled instead of exploiting known vulnerabilities.

By default, Android hasĀ Android Debug Bridge (ADB) option disabled, but often vendors enable it to customize the operating system, then ship the devices with the feature turned on.

The authors of the HNS botnet are attempting to compromise new devices by exploiting the features.

ā€œThe newly identified samples add functionality by exploiting theĀ Android Debug Bridge (ADB) over Wi-FiĀ feature in Android devices, which developers normally use for troubleshooting.ā€ reads theĀ analysisĀ published by BitDefender.

[adsense size='1' ]





ā€œWhile itā€™s traditionally disabled by default, some Android devices are shipped with it enabled, practically exposing users to remote connections via theĀ ADB interfaceĀ thatā€™s accessible using theĀ TCP port 5555. Any remote connection to the device is performed unauthenticated and allows for shell access, practically enabling attackers to perform any task in administrator mode.ā€

In February 2018, security researchers atĀ Qihoo 360ā€™s Netlab haveĀ spottedĀ an Android mining botnet that was targeting devices with ADB interface open.

The recent improvement of theĀ Hide and Seek botnet, allowed its operators to addĀ 40,000 new devices, most of them in Taiwan, Korea, and China.

 

 

Expert pointed out that the HNS bot could infect any device, including smart TVs and DVRs, that has ADB over Wi-Fi enabled could be affected too.

ā€œItā€™s safe to say that not just Android-running smartphones are affected ā€” smart TVs, DVRs and practically any other device that has ADB over Wi-Fi enabled could be affectedĀ too.ā€Ā concludesBitdefender.

ā€œConsidering the evidence at hand, we speculate the botnet operators are constantly adding new features to ā€œenslaveā€ as many devices as possible, although the true purpose of the botnet remains unknown.ā€

Tagged with: ā€¢ ā€¢ ā€¢ ā€¢ ā€¢ ā€¢ ā€¢ ā€¢ ā€¢ ā€¢



Comments are closed.






Ā© Torchsec Ā Privacy PolicyĀ Disclaimer Ā T&C



Back to Top ↑