Delaware, USA – January 25, 2018 – A few days ago, a new IoT botnet was discovered; researchers from Bitdefender dubbed it HNS. Botnet continues to proliferate around the world: in the last 24 hours the number of bots in it has almost doubled, and at the moment there are more than 24,000 devices. Initially, HNS botnet infected mostly IP cameras. Infected devices try to connect to random IP addresses with open ports (80, 23 2323, 8080) and perform a brute force attack. If successful, the bot determines device and method to compromise it. Attackers can steal data from an infected device, execute a command on it or interfere with its operation.
Also, researchers from NewSky Security have discovered two new versions of the Mirai botnet, attacking D-Link equipment – Masuta and PureMasuta. Researchers tied these botnets to Satori botnet, which was created by Nexus Zeta. How hacker will use the newly created botnets it is still unknown but Satori botnet was recently seen in attacks on equipment for the cryptocurrency mining.
It is quite difficult to monitor the security of IoT-devices, but existing botnets cannot yet maintain persistence on the devices and are deleted after reboot. You can observe data flow on your network using Netflow Security Monitor use case for ArcSight, QRadar and Splunk. Suspicious surges of traffic from IoT devices may indicate their exploitation by adversaries.