1 year ago



otnets DEADLY GAME OF HIDE 'N' SEEK BITDEFENDER RESEARCHERS HAVE UNCOVERED AN EMERGING BOTNET THAT USES ADVANCED COMMUNICATION TECHNIQUES TO EXPLOIT VICTIMS AND BUILD ITS INFRASTRUCTURE Anew bot, dubbed HNS, has been intercepted by Bitdefender's IoT honeypot system, following a credentials dictionary attack on the Telnet service. The bot was first spotted in early January this year, then faded away in the following days, only to reemerge 10 days later in a significantly improved form. "The HNS botnet communicates in a complex and decentralised manner, and uses multiple anti-tampering techniques to prevent a third party from hijacking/ poisoning it," explains Bogdan Botezatu, senior e-threat analyst at Bitdefender. The bot can perform web exploitation against a series of devices via the same exploit as Reaper and other vulnerabilities against networking equipment. It embeds a plurality of commands, such as data exfiltration, code execution and interference with a device's operation. The bot features a worm-like spreading mechanism that randomly generates a list of IP addresses to get potential targets. It then initiates a raw socket SYN connection to each host in the list and continues communication with those that answer the request on specific destination ports (23 2323, 80, 8080). Once the connection has been established, the bot looks for a specific banner ("buildroot login:") presented by the victim. If it gets this login banner, it attempts to log in with a set of predefined credentials. If that fails, the botnet attempts a dictionary attack using a hardcoded list." VICTIM EXPLOITATION Once a session is established with a new victim, the sample will run through a 'state machine' to properly identify the target device and select the most suitable compromise method. "For example, if the victim has the same LAN as the bot, the bot sets up TFTP server to allow the victim to download the sample from the bot," adds Botezatu. "If the victim is located on the internet, the bot will attempt a specific remote payload 20 computing security March/April 2018 @CSMagAndAwards

otnets delivery method to get the victim to download and run the malware sample. These exploitation techniques are preconfigured and are located in a memory location that is digitally signed to prevent tampering. This list can be updated remotely and propagated among infected hosts." The samples identified in Bitdefender's honeypots in early January revolved around IP cameras manufactured by a Korean company. "These devices seemed to play a major role in the botnet, as, out of the 12 IP addresses hardcoded in the sample, 10 used to belong to Focus H&S devices. The new version, observed on January 20, dropped the hardcoded IPs." Like other IoT bots, the newly discovered HNS bot cannot achieve persistence and a reboot would bring the compromised device back to its clean state. It is the second known IoT botnet to date, after the notorious Hajime botnet, that has a decentralised, peer-topeer architecture. "However, if in the case of Hajime, the p2p functionality was based on the BitTorrent protocol. Here, we have a custom-built p2p communication mechanism. The bot opens a random port on the victim and adds firewall rules to allow inbound traffic for the port. It then listens for connections on the open port and only accepts the specific commands described below. Our initial look at the sample revealed an elliptic curve key inside the file that is used to authenticate the command which updates the memory zone where configuration settings are stored, to prevent infiltration or poisoning attempts against the botnet." CHATBOT MENACE Meanwhile, a warning has been issued about another kind of 'bot' - Chatbots. According to security expert BOHH Labs, they can also pose a serious security threat. "Chatbots are quickly becoming the interface of choice for many organisations. In fact, a recent survey conducted by Oracle revealed that 80 per cent of businesses want chatbots by 2020. While the advances in Artificial Intelligence (AI) and mobile technology have created a new set of tools for brands to communicate with, the technology itself has yet to reach a mature state and is consequently strongly vulnerable to cyberattacks," cautions Simon Bain, cybersecurity expert and CEO, BOHH Labs. Current bot solutions are not entirely secure and can create open passages for cyber criminals to access the data flowing through chatbot's interface. In essence, this gives cyber attackers direct access to an organisations' network, applications and databases. As Bain explains: "While bot technology has improved drastically in recent years, for maximum security, chatbot communication should be encrypted and chatbots should be deployed only on encrypted channels. This can be easily set up on an organisation's own website; but, for brands that use chatbots through third-party platforms such as Facebook, the security features are decided by the third party's own security branch, which means the organisation does not have as much control over the security features on the chatbot. Until public platforms offer end-to-end encryption in their chatbots, businesses should remain cautious." One of the biggest advantages in using chatbots is that they are a cheaper solution to customer service. They can serve and reach customers in a way that would otherwise require a tremendous amount of time and resources. This is an area where chatbots are gaining momentum, but instead of bots Bogdan Botezatu, Bitdefender: the bot can perform web exploitation against devices via the same exploit as Reaper. replacing entire customer service teams, organisations are working with them in tandem, in order to improve customer satisfaction. However, as chatbots seek to collect information from users, the information that is stored and the metadata must be properly secured. "When running a chatbot, organisations must consider how the information is stored, how long it's stored for, how it's used and who has access to it," Bain says. "This is especially important for highly regulated industries, such as finance, that will deal with sensitive customer information." While there are clear advantages to integrating chatbot technology as a new communication tool, if companies aren't made aware of the potential security risks, confidential data will be accessible by any determined hacker. "Additionally, attackers may be able to repurpose chatbots to harvest sensitive data from unsuspecting customers." he concludes. @CSMagAndAwards March/April 2018 computing security 21