Stealthy KV-botnet hijacks SOHO routers and VPN devices

Stealthy KV-botnet hijacks SOHO routers and VPN devices

December 13, 2023 at 05:50PM

The Chinese state-sponsored hacking group Volt Typhoon, also known as Bronze Silhouette, has been linked to the sophisticated botnet ‘KV-botnet’ since 2022. The group targets SOHO routers, firewalls, and VPN devices, aiming to disrupt critical communications infrastructure. The botnet’s activities indicate a focus on espionage and information gathering, with recent attacks continuing as of December 5, 2023.

From the meeting notes, we can summarize the following key points:

1. The Chinese state-sponsored hacking group Volt Typhoon, also known as Bronze Silhouette, is affiliated with the sophisticated botnet ‘KV-botnet’ used to attack SOHO routers in high-value targets.
2. The group commonly targets routers, firewalls, and VPN devices to blend malicious traffic with legitimate traffic for stealth.
3. Microsoft and the US government have assessed that Volt Typhoon is building infrastructure to disrupt US communications infrastructure.
4. Lumen Technologies’ Black Lotus Labs team reported that the campaign infects devices at the edge of networks and has recently targeted specific devices such as Netgear ProSAFE firewalls, Cisco RV320s, DrayTek Vigor routers, and Axis IP cameras.
5. The KV-botnet has been involved in attacks targeting telecommunication and internet service providers, a US territorial government entity in Guam, a renewable energy firm in Europe, and US military organizations, indicating a focus on espionage and information gathering.
6. The botnet’s activity has significantly increased since August 2023 and is ongoing, with the most recent observed attack dates of December 5, 2023.
7. Black Lotus has identified two separate clusters of activity linked to KV-botnet, targeting high-value entities and engaging in broader scanning using less sophisticated techniques.
8. Volt Typhoon engages in a complex infection chain involving specific files, processes, and security tools, making it challenging to detect.
9. The botnet receives commands from the C2 server, updating communication settings, exfiltrating host info, data transmission, creating network connections, executing host tasks, and potentially enabling targeting of adjacent LAN.
10. KV-botnet’s activity times align with China working hours, and it employs advanced obfuscation techniques and covert data transfer channels seen in previously documented Volt Typhoon tactics.
11. There was a suspicious decline in KV-botnet operations that coincided with the public disclosure of Volt Typhoon activities by CISA in May 2023.

This summary consolidates the key information provided in the meeting notes and highlights the significant findings relevant to the discussion.

Full Article