New HEH Botnet Launches Brutal Attacks on IoT Devices and Systems

New HEH Botnet Launches Brutal Attacks on IoT Devices and Systems

By Ludovic F. Rembert, Head of Research at Privacy Canada.

While ransomware has been grabbing all the headlines, botnets have continued to grow with much less publicity.

That may be about to change as cyberattackers are now using botnets to wipe all data from internet-connected devices. This includes routers, servers, and IoT devices.

Businesses and individuals need to be aware that any internet-linked device is potentially vulnerable to cyberattacks. As IoT devices often have proprietary firmware, they may be more of a challenge to attack than computers and standard mobile devices. Their security can, however, be compromised by default/weak passwords.

Here are the different ways that the new HEH botnet can launch attacks on IoT devices and systems:

Attacks depend on exposed ports and default/weak passwords

The newly-discovered HEH botnets look for devices that have ports 23/2323 (the Telnet ports) exposed online. If they get access to these ports, they can perform a low-level brute-force attack on the password. If this succeeds, they proceed to install the HEH malware and this is what wipes out data from the system.

In some ways, HEH is more notable for what it doesn’t do than what it does. It doesn’t mine for cryptocurrency, or spy on users or encrypt data for ransom. It simply wipes devices clean of data. This might not be technically impressive, but when you consider that 89% of business professionals agree that the protection of data is vital to their company’s survival, you can see how knowing how to shield against HEH is so important.

Wiping all data also removes a device’s firmware

HEH has the potential to bring a whole new meaning to the phrase “delivering disruption with IoT”. Wiping the data from an IoT device also wipes its firmware, leaving it “bricked”. Given that 87% of businesses describe the IoT as “vital” to their future success, it’s easy to see how this could deliver major disruption.

At present, it seems likely that SMBs and private individuals will be the worst affected. Firstly, larger businesses are probably more likely to understand how to undertake robust security checks on their applications and APIs. This means that they are less likely to get infected. Secondly, they are more likely to know how to reactivate “bricked” devices.

At present, it’s easy to defend against HEH

At present, little is known about the background of HEH. In fact, it’s not even clear if the data-wiping functionality is intentional or if it was actually meant to be a self-destruct mechanism.

It may be that HEH was just intended as a basic cyber-mischief or as an experiment that went wrong. It may however be that HEH is still in the process of being developed. If it’s the latter, then there is the potential for it to become much more dangerous.

HEH requires two security vulnerabilities to be present, namely exposed ports and default/weak passwords. Ideally, both would be addressed. If, however, you need to keep telnet ports open, you can still protect yourself against HEH by using a strong password.

Governmental efforts are already being made to ensure that IoT devices have robust security protection straight out of the box. For example, both California and Oregon have implemented IoT security laws and the UK has a government-backed code of practice for IoT-device manufacturers, albeit a voluntary one.

At present, however, in most situations, the onus is still very much on the purchaser to make sure that their password is appropriately robust. One strategy you can use to protect your IoT devices from HEH is to rely on dynamic application security testing (or DAST). It is a security approach in which a DAST tool attempts to hack into your application while it is running in order to detect any vulnerabilities.

This means that both businesses and individuals need to inform themselves of effective password management. Businesses must also ensure that they have processes in place to reduce the likelihood of human error.

Strong passwords are only a starting point

Strong passwords may help protect the IoT devices of companies and individuals against primitive threats such as HEH. They are, however, nowhere near enough to ensure the sort of robust protection modern companies need. In particular, there are three key areas all companies must address.

These days, it is no longer enough just to rely on automated defenses such as anti-malware software and firewalls (although these are still essential). You have to use 24/7 threat monitoring for constant vigilance. If you don’t have the capability to do this yourself, then you need to work with a vendor that does.

You also need to ensure that all software, operating system, and firmware updates are applied promptly. By this point, companies should already have a robust process for updating computers and mobile devices. IoT devices may, however, be overlooked and this can create an opportunity for hackers.

Remote and mobile security

Security isn’t just about protecting your website from hackers. It’s about preventing your website from being used as a way to gain backdoor access to your internal network. Keeping your website safe requires a very similar approach to keeping your internal company network safe.

The good news is there are a number of measures you can take. For instance, it’s very important for your business website to come secured with SSL, which permits data sent over your website to be authenticated and encrypted tso that it can only be accessed by an intended recipient. But despite SSL being so important and simple to set up, less than one third of all domains even use an SSL certificate. Don’t make the same mistake.

There are also anti-malware programs and firewalls for websites. Similarly, you need to keep your web-related software updated and carefully manage access both to the admin controls and any back-end databases.

Users who are regularly out of the office will need particularly robust training to identify social engineering attacks. Sophisticated cybercriminals may see them as soft targets as they lack the protection of having colleagues (and IT) nearby. They cannot, therefore, just call someone over for help in the same way as location-based workers.

Finally, businesses should ensure that employees only connect to the company network over a reliable virtual private network, for VPN. A VPN can encrypt all data sent over your network and hide your employees’ IP address for an added level of security.

VPNs are also a rather inexpensive investment, as there are a number of quality options available for under $6 a month that also offer proven encryption measures in the form of IKEv2 and L2TP. With this in mind, there’s really no reason not for your company to invest in one.


Paying attention to basic security will go a long way to protecting against even sophisticated cyberattacks. Basic security measures you can take include combining anti-malware software, firewalls/WAFs, VPNs, and threat-monitoring software with regular software updates and password-/account-management.

It is, however, important to remember that users (and especially remote and mobile workers) are generally the weakest link in your security chain. It is therefore vital to ensure that they are suitably educated and monitored.

Related posts