December 13, 2023 at 12:24PM
Malware hunters in the US have uncovered a resilient botnet built from outdated SOHO routers, serving as a covert data transfer network for Chinese government-backed hacker group Volt Typhoon. The botnet spans various sectors, including critical infrastructure organizations. Black Lotus Labs plans to release detailed technical analysis of the threat, urging network defenders to watch for suspicious data transfers.
After reviewing the meeting notes, it’s clear that a significant threat has emerged in the form of the botnet operated by the Chinese government-backed hacking group known as Volt Typhoon. This botnet is comprised of end-of-life SOHO routers from various vendors, which have been exploited to establish a covert data transfer network for malicious operations.
The botnet, named KV-botnet, has been found to encompass a complex infection process and a well-concealed command-and-control framework. Notably, the hackers have taken advantage of outdated routers that are no longer receiving security patches, making them vulnerable to critical security issues.
Black Lotus Labs, as the threat-intel arm of Lumen Technologies, has conducted research on this botnet and highlighted the hacking group’s hands-on-keyboard manual operations and clever evasion of security software. They have raised the alarm that the hacking group may be preparing for increased activity over the holiday season, as evidenced by the targeting of new device types and mass exploitation in early December.
The company is set to release a detailed technical analysis of the botnet and related artifacts, along with evidence linking it to Volt Typhoon. Furthermore, they plan to make the malware and related artifacts publicly available to assist organizations in mitigating the threat and preparing for potential future attacks.
Emphasizing the urgent need for action, Black Lotus Labs has warned that this trend of utilizing compromised firewalls and routers is likely to persist as a core component of threat actor operations. They have advised network defenders to closely monitor for large data transfers, even if the destination IP address is located in the same geographical area.
Given the wide deployment of end-of-life routers in major organizations worldwide and the lack of resources and expertise among many home and small business users to monitor or detect malicious activity, the seriousness of the threat cannot be overstated. It is crucial for network defenders to remain vigilant and take proactive measures to address this imminent danger.
Furthermore, it is imperative that organizations with affected networks and devices take immediate steps to mitigate the threat, considering the potential impact on high-value networks, including those associated with critical infrastructure and satellite-based networks in the US.
Finally, the publicizing of detailed technical analysis and evidence of links to Volt Typhoon indicates a commitment to transparency and a collaborative approach in addressing this critical cybersecurity issue.