Your browser is not supported. Please update it.

7 September 2018

What a surprise, a new IoT botnet emerges, Hakai

The latest threat for sysadmins to worry about is Hakai, carrying on a naming convention that Mirai, Hajime, and Satori seem to have cemented. Translating to ‘destruction’ in Japanese, there has been a sharp spike in Hakai activity in the past two weeks, first spotted by NewSky Security back in June.

But for as long as companies are going to be so lax with their security policies, these botnets are going to be a fact of life. Riot has outlined the problem before, which is going to be especially prevalent as smart home devices are commoditized, as the device makers will view security costs as an expense that can be cut, in order to slash the bill of materials as far as they can.

To this end, the end-devices themselves are going to be horrendously insecure, unless the chip-makers can get a handle on things and enforce some kind of root-level security policy – a monumental task that just does not seem feasible, especially if we move towards an open-source silicon future.

If all these insecure devices were being connected to the internet via some form of gateway, then we could rely on the gateway to act as arbitrator and firewall. But direct connections to cellular networks means that we can’t offload security solely to the WiFi gateway, and as the early Hakai attacks have shown, the WiFi gateways themselves appear pretty vulnerable.

Hakai has evolved considerably. The first sighting was something based on Qbot, an IoT-centric malware that has been in the wild for some years now. NewSky’s Ankit Anubhav told ZDNet that the first iteration of Hakai was unsophisticated and rarely active.

The people or person behind Hakai took the fairly unorthodox step of asking Anubhav to cover Hakai and bring attention to it, going as far as putting a photograph of him on the command and control website for Hakai. However, the malware quickly evolved, and the first attack was recorded in July, when it exploited a vulnerability in Huawei HG352 routers.

Activity levels have been growing since then, with other researchers spotting Hakai in mid-August, after it began targeting other devices. These have included D-Link routers that use the HNAP protocol, and Realtek routers that use an outdated SDK.

Hakai also uses the Telnet scanning features that made Mirai so dangerous. Scanning for vulnerable devices connected to any node it manages to compromise, Hakai will then attempt to use known default administrator credentials to gain control of these devices. As so many devices ship with predictable default passwords, this is still a highly effective attack vector, and it will remain so until device makers shift away from this habit – which they unfortunately still seem incredibly slow at doing.

The malware has also inherited another Mirai trait – there are now multiple variants of the code and associated botnet. Mirai was effectively open sourced as the authorities closed in on its authors, allowing other ne’er-do-wells to pick up the malware and run with it. There’s a chance this has happened with Hakai, as Intezer Labs reports two new variants – Kenjiro and Izuku.

ZDNet speculates that the shift in tone from the Hakai author might have something to do with the recent arrest of the person behind the Satori botnet, the twenty-year-old Kenneth Schuhman from Washington. Schuhman, the person behind the Nexus Zeta alias, had often bragged online and sought coverage from journalists, which left enough breadcrumbs for authorities to track him with. The Daily Beast has a good profile on the incident. Schuhman is being investigated by the same team that took down the Mirai authors – fitting, given that Satori is an evolution of Mirai.