- At Least 40,000 new devices remain vulnerable to the botnet’s new infection vector.
- The IoT botnet has been targeting Android devices and can now survive device reboots.
The notorious Hide and Seek IoT botnet has been enhanced with new capabilities and can now deliver command injection exploits in a device's web interface. The botnet has been targeting Android devices with its new wireless debugging feature, generally used for troubleshooting.
The botnet’s new infection vector, instead of exploiting a vulnerability, focuses on exploiting a device misconfiguration that allows attackers to quietly install and execute functions with unauthenticated root administrator privileges on a targeted device.
Hide and Seek exploits ABD
One of the new features added to Hide and Seek allows it to exploit the Android Debug Bridge (ADB) function. This could be considered a game changer for botnets, as most IoT botnets currently are not capable of exploiting ADB.
ADB is an operating system (OS) developer function that listens for traffic via port 5555 and allows anyone to connect over the internet to a device. Multiple mobiles and IoT vendors across the globe are still shipping devices with ADB enabled, potentially leaving them vulnerable to hackers.
In fact, cybercriminals have already leveraged ADB in a cryptojacking malware campaign, which was reported earlier in June by Qihoo 360's Network Security Research Lab [Netlab] division.
Botnet could infect 40,000 more devices
“The Hide and Seek botnet already packed a vast arsenal for compromising internet-connected devices, and this recent addition may enable it to amass at least another 40,000 new devices, according to a quick search on Shodan,” Bitdefender researchers, who discovered the upgraded version of Hide and Seek, wrote in a blog post.
The researchers discovered that while most of the affected devices are located in Taiwan, Korea, and China, some infected devices were also detected in the US and Russia.
The botnet has a history of adding to its capabilities - in May, Hide and Seek added a new feature that allowed it to survive reboots on an infected router, as reported by Bleeping Computer.
Hide and Seek is currently capable of infecting not only Android devices but also smart TV’s and DVRs. Practically any other device that has ADB over Wi-Fi enabled could also be added to the the botnet’s growing arsenal of compromised IoT devices.
Hide and Seek continues to evolve
The purpose of the botnet is still unknown, but it keeps enhancing its features and abilities to add as many devices to its network as possible. While some devices could be directly exposed to the internet, others are hidden behind routers, making them more vulnerable to the botnet.
“Although it supports commands for data exfiltration and code execution the researchers have not seen them used by the botnet. Also, there is no module for launching distributed denial-of-service attacks, a primary method for botnet monetization,” Alex Balan, a security researcher at Bitdefender told Bleeping Computer.
ADB is ideally meant to be switched off by default in Android devices. However, various device manufacturers enable the feature to customize the OS for their products. This has resulted in leaving customers exposed to potential intrusive attacks. Vendors should provide an immediate product update for vulnerable devices to address the issue.