HEH Botnet

Cybercriminals are once again going after vulnerable or unsecured Internet-of-Things (IoT) devices. While these devices host important information rarely, cybercriminals can use them for other purposes – such as executing cryptocurrency mining operations or performing Distributed-Denial-of-Service (DDoS) attacks. The latest botnet to harvest IoT devices is called the HEH Botnet, and its primary targets appear to be routers, followed closely by miscellaneous IoT devices and servers. However, the operators' goal behind the HEH Botnet is not still clear because their project appears to exhibit rather strange behavior.

The HEH Botnet is actively looking for victims by scanning the Internet for devices, which have the Telnet ports 23 and 2323 exposed. This would allow the criminals to try to brute force the correct combination of a username and password and access the compromised device. Surprisingly, the HEH Botnet operators are not using the enslaved devices to mine for cryptocurrency, perform ad-fraud, launch DDoS attacks, or any of the other activates that major botnets participate in.

The devices infected by the HEH Botnet are commanded to perform more brute-force attacks against accessible Telnet networks, therefore trying to expand the botnet's size. The botnet also can run a set of PowerShell commands serving an interesting purpose – wiping the device's partitions. Thankfully, the latter activity has not been spotted yet, so it seems to be unused. However, if HEH Botnet's creators opt to use it, they may end up disabling tens of thousands of routers and IoT devices simultaneously.

The HEH Botnet is compatible with popular CPU architectures like PPC, MIPS, ARM and x64/x86. If any of your devices are using the Telnet service on a regular basis, now it is a good time to secure it with a strong password and prevent attacks like the one the HEH Botnet executes.