September 18, 2024 at 01:09PM
Lumen Technologies researchers have identified a large-scale botnet, Raptor Train, controlled by a Chinese state-sponsored espionage group known as Flax Typhoon. The botnet targets US and Taiwanese organizations in critical sectors using IoT devices and has a robust command and control infrastructure. The botnet has been used for extensive scanning and exploitation attempts across various sectors.
Key takeaways from the meeting notes:
– Researchers at Lumen Technologies have identified a large-scale botnet called Raptor Train, which is a Chinese state-sponsored espionage operation targeting entities in the U.S. and Taiwan across various sectors, including military, government, higher education, telecommunications, and defense industrial base.
– The botnet primarily comprises compromised small office/home office (SOHO) and Internet of Things (IoT) devices and has been growing since its formation in May 2020, with an estimated hundreds of thousands of devices entangled.
– The botnet is managed through a robust, multi-tiered infrastructure, featuring a sophisticated command and control (C2) system called “Sparrow,” which allows for remote command execution, file transfers, vulnerability management, and potential distributed denial-of-service (DDoS) attack capabilities.
– The attackers are exploiting over 20 device types using both zero-day and known vulnerabilities to include them as Tier 1 nodes, which include devices from various companies such as ActionTec, ASUS, D-Link, Hikvision, and others.
– The primary malware seen on most of the compromised devices is called Nosedive, a custom variation of the infamous Mirai implant, which is particularly difficult to detect and analyze due to its obfuscation and termination of remote management processes.
– There have been extensive scanning efforts targeting the U.S. military, government, IT providers, and defense industrial base organizations, as well as global targeting, and exploitation attempts against vulnerable software such as Atlassian Confluence servers and Ivanti Connect Secure appliances.
Additionally, Black Lotus Labs has taken steps to null-route traffic to known points of botnet infrastructure, and there are reports of law enforcement agencies in the U.S. working on neutralizing the botnet. The presentation of these findings is set to take place at the LABScon conference.