0
Security researcher Jouini Ahmed noted that Hakai had expanded its initial Huawei exploit to also include exploits that targeted D-Link routers supporting the HNAP protocol, but also Realtek routers and IoT devices that were using an older and vulnerable version of the Realtek SDK. Anubhav also told ZDNet that as Hakai matured, it also broadened its capabilities with two more D-Link router exploits [1, 2].
But on top of all the exploits, the botnet also included a highly efficient Telnet scanner. For these scans, the exploits aren’t needed, and the Hakai malware takes over devices belonging to users who did not change default passwords or were using simple passwords in the form of root, admin, 1234, and others.
By early and mid-August, as Hakai gained more steam with new exploits and infected devices, Tempest Security was reporting that Hakai had grown tremendously and was showing “signs of intense activity in Latin America.”
Furthermore, the Hakai codebase also seems to have made it into the hands of other people. Earlier today, Anubhav confirmed a report from last week by Intezer Labs that two different Hakai-based variants –named Kenjiro and Izuku– were also spreading online.
But while the Hakai botnet is now growing into a looming and impending threat, the author’s braggadocio attitude has disappeared entirely, cutting off contact with security researchers and moving command and control servers.
This sudden change in the behavior of Hakai author is related to the recent arrest of Nexus Zeta, the operator of another IoT botnet named Satori.
Just like the Hakai author, Nexus Zeta bragged online about his botnet’s capabilities and constantly sought media coverage from researchers and infosec journalists, including from this reporter. His foolish approach left a trail of breadcrumbs that authorities had no difficulty in tracking to discover his real-world identity, an error the Hakai author doesn’t seem intent on following.
Related Topics:
Internet of Things
Security TV
Data Management
CXO
Data Centers
0