Remember when we said the “Hide ‘N Seek” IoT (Internet of Things) botnet may be a sign of what’s to come? Well, according to a blog post published by Bitdefender on May 7, it looks like the prophecy is true. Hide ‘N Seek has infected close to 90,000 devices total (including more than 20,000 over the course of just a few days back in January) and has unlocked an extremely concerning new achievement: Persistence. The latest version of the malware discovered last week is the world’s first to gain persistence (the ability to survive a reboot) on infected devices.
If that wasn’t enough cause for alarm, the most recent version of the Hide ‘N Seek malware also wields new binaries that allow it to target new vulnerabilities and types of devices. In a SecurityWeek report posted earlier today, Bitdefender Senior E-Threat Analyst Bogdan Botezatu elaborates on which IoT devices this malware is targeting. Here’s an excerpt:
“The list is extremely long and features several camera models, but the hardcoded credentials also target several router models. In addition to specific models, the bot also attempts these credentials against Telnet for all sorts of devices. The fact that it has binaries compiled for 10 platforms and architectures shows that the attacker is aiming at enrolling as many devices, regardless of type, maker, and model,” Botezatu said.
“We’ve notified vendors about this,” he added.
Over the past three months, Hide ‘N Seek has been growing steadily although some devices left the botnet, while others joined it. Most likely, the botnet lost those devices “that could not be exploited in a way to offer persistence,” Botezatu said.
According to Botezatu, Hide ‘N Seek appears to be in the growth phase – hunting IoT devices that can be exploited in a way to offer persistence – to help the botnet seize as many devices as possible. But what is Hide ‘N Seek’s end game? Botezu notes that Bitdefender’s researchers have yet to find any support for distributed denial of service (DDoS) in the five versions of the botnet they’ve observed thus far.
The lack of weaponized features in the binary – particularly DDoS, which is the most common objective of IoT botnets found in the wild – indicates that Hide ‘N Seek’s game plan is to get even bigger before it returns again even badder.