HNS Evolves From IoT to Cross-Platform Botnet
By Catalin Cimpanu
Published: 2018-07-06 · Archived: 2026-04-05 13:18:23 UTC
A botnet discovered at the start of the year and named Hide 'N Seek (HNS) has expanded from infecting Internet of Things
(IoT) devices and is now also targeting cross-platform database solutions as well.
This is an important development in the botnet's evolution, which also passed a significant milestone in May when it became
the first IoT malware that was capable of surviving device reboots.
HNS now targets more devices
Now, the Netlab research team at Qihoo 360 says that HNS has expanded beyond the scope of routers and DVRs and is now
also targeting database applications running on server operating systems.
https://www.bleepingcomputer.com/news/security/hns-evolves-from-iot-to-cross-platform-botnet/
Page 1 of 4

0:00
https://www.bleepingcomputer.com/news/security/hns-evolves-from-iot-to-cross-platform-botnet/
Page 2 of 4

Visit Advertiser websiteGO TO PAGE
According to Netlab researchers, the botnet is now capable of infecting the following types of devices, with the following
types of exploits:
1. TPLink-Routers RCE
2. Netgear RCE
3. (new) AVTECH RCE
4. (new) CISCO Linksys Router RCE
5. (new) JAW/1.0 RCE
6. (new) OrientDB RCE
7. (new) CouchDB RCE
As a side-effect for adding more payloads, HNS is also noisier now, as it needs to scan more ports to find new hosts to
infect. Experts say they've seen HNS bots initiating scans on ports:
23      Telnet  
80      HTTP Web Service  
2480  OrientDB  
5984  CouchDB  
8080  HTTP Web Service  
... but also random ports
But HNS was easy to spot anyway because it's only the second major IoT botnet besides Hajime known to use a P2P
structure, so security researchers would have an easy time identifying it regardless.
HNS testing coinminer payload
HNS is not the first botnet to target OrientDB servers, which have become quite the favorite among various botnets. For
example, DDG, a botnet discovered last year, which is still alive today, has targeted OrientDB servers in the past with
cryptocurrency-mining malware.
In fact, it appears that HNS operators might have learned something from the DDG crew because Netlab says HNS has also
started dropping a coinminer payload on some of the infected systems.
Fortunately, for the time being, it appears that these deployments have all failed, as the additional coinminer payload failed
to start and generate funds for the HNS operators.
But if they manage to get it up and running, they'll be in for some profits, as the DDG gang collected well over $1 million
from their coinmining last year.
The Netlab team has published an in-depth analysis of the changes in HNS compared to its previous variant spotted back in
January.
https://www.bleepingcomputer.com/news/security/hns-evolves-from-iot-to-cross-platform-botnet/
Page 3 of 4

Automated Pentesting Covers Only 1 of 6 Surfaces.
Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the
other.
This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic
questions for any tool evaluation.
Source: https://www.bleepingcomputer.com/news/security/hns-evolves-from-iot-to-cross-platform-botnet/
https://www.bleepingcomputer.com/news/security/hns-evolves-from-iot-to-cross-platform-botnet/
Page 4 of 4