The US government said on Wednesday it has taken steps to neutralize a botnet comprising hundreds of US-based small office and home office (SOHO) routers hijacked by a China-linked state-sponsored threat actor called Volt Typhoon and mitigate the impact represented by hacking. countryside.
The existence of the botnet, nicknamed Botnet KVwas first revealed by Lumen Technologies’ Black Lotus Labs team in mid-December 2023. The law enforcement activity was reported by Reuters earlier this week.
“The vast majority of routers that made up the KV botnet were Cisco and NetGear routers that were vulnerable because they had reached ‘end of life’ status; that is, they were no longer supported by manufacturer security patches or other software updates,” Lo said the Department of Justice (DoJ) in a press release.
Volt Typhoon (also known as DEV-0391, Bronze Silhouette, or Vanguard Panda) is the nickname assigned to a China-based adversarial collective that has been attributed to cyberattacks against critical infrastructure sectors in the United States and Guam.
“Chinese cyber actors, including a group known as ‘Volt Typhoon,’ are digging deep into our critical infrastructure to be ready to launch destructive cyber attacks in the event of a major crisis or conflict with the United States,” the CISA director Jen Easterly.
The cyber espionage group, believed to be active as of 2021, is known for its reliance on legitimate tools and above-ground living (LotL) techniques to fly under the radar and persist in victims’ environments for long periods of time to collect sensitive data. information.
Another important aspect of its modus operandi is that it tries to camouflage itself into normal network activity by routing traffic through compromised SOHO network equipment, including routers, firewalls, and VPN hardware, in an attempt to obfuscate their origins.
This is achieved via the KV botnet, which commandeers devices from Cisco, DrayTek, Fortinet, and NETGEAR to use as a covert data transfer network for advanced persistent threat actors. Botnet operators are suspected of offering their services to other hacker groups, including Volt Typhoon.
In January 2024, a SecurityScorecard report this month revealed how the botnet was responsible for compromising up to 30% (or 325 out of 1,116) of end-of-life Cisco RV320/325 routers over a 37-day period starting on 1 ° December. , 2023, to January 7, 2024.
“Volt Typhoon is at least one user of the KV e botnet […] this botnet comprises a subset of their operational infrastructure,” Lumen Black Lotus Labs said, adding that the botnet “has been active since at least February 2022.”
The botnet is also designed to offload a virtual private network (VPN) module onto vulnerable routers and set up a direct encrypted communication channel to control the botnet and use it as an intermediate relay node to achieve its operational goals.
“One function of the KV botnet is to transmit encrypted traffic between infected SOHO routers, allowing hackers to anonymize their activities (i.e., the hackers appear to be operating from SOHO routers, as opposed to their real computers in China),” according to to affidavits filed by the United States Federal Bureau of Investigation (FBI).
As part of its efforts to disrupt the botnet, the agency said it issued remote commands to target routers in the United States using the malware’s communications protocols to eliminate the KV botnet payload and prevent them from being infected again. The FBI said it notified each victim of the operation, either directly or through their Internet service provider if contact information was unavailable.
“The court-authorized operation eliminated the KV-botnet malware from the routers and took additional steps to disrupt their connection to the botnet, such as blocking communications with other devices used to control the botnet,” the DoJ added.
It is important to point out here that the unspecified preventative measures taken to remove routers from the botnet are temporary and cannot survive a reboot. In other words, simply restarting your devices would make them susceptible to a new infection.
“The Volt Typhoon malware allowed China to hide, among other things, pre-operational reconnaissance and network exploitation against critical infrastructure such as our communications, energy, transportation and water sectors – steps that China was taking action, in other words, to find and prepare to destroy or degrade the critical civilian infrastructure that keeps us safe and prosperous,” said FBI Director Christopher Wray.
However, the Chinese government, in a statement shared with Reuters, denied any involvement in the attacks, dismissing them as a “disinformation campaign” and saying it “has been adamant in opposing hacker attacks and the abuse of computer technology.” information”.
In conjunction with the removal, the US Cybersecurity and Infrastructure Security Agency (CISA) released new guidelines urging SOHO device manufacturers to take a secure-by-design approach during development and alleviate burdens on customers.
Specifically, manufacturers are recommended to eliminate exploitable flaws in the web management interfaces of SOHO routers and modify the default device configurations to support automatic update features and require a manual override to remove security settings.
The compromise of edge devices such as routers for use in advanced persistent attacks launched by Russia and China highlights a growing problem exacerbated by the fact that legacy devices no longer receive security patches and do not support endpoint detection and response (EDR) solutions.
“Creating products without adequate security controls is unacceptable given the current threat environment,” CISA said. “This case exemplifies how a lack of security-by-design practices can lead to real harm to both customers and, in this case, our nation’s critical infrastructure.”