Volt Typhoon Group Rebuilds KV-Botnet Malware Network
/ 4 min read
Quick take - The Chinese state-sponsored hacking group Volt Typhoon is reportedly rebuilding its KV-Botnet malware botnet, targeting outdated Cisco and Netgear routers, following a disruption by U.S. authorities in January 2024, and has successfully compromised a significant number of devices despite previous setbacks.
Fast Facts
- Volt Typhoon, a Chinese state-sponsored hacking group, is rebuilding its KV-Botnet malware after a disruption by U.S. authorities in January 2024, targeting outdated Cisco and Netgear routers.
- The group has been a significant cyberespionage threat for over five years, infiltrating critical U.S. infrastructure and global networks by exploiting SOHO routers and networking devices.
- The KV-Botnet has effectively compromised around 30% of internet-exposed Cisco RV320/325 devices within 37 days, utilizing MIPS-based malware and webshells for covert communication.
- Volt Typhoon’s operations include routing traffic through compromised legitimate infrastructure, complicating detection, and leveraging a VPN device in New Caledonia for stealthy communication.
- Experts recommend replacing outdated routers, securing admin access, and updating firmware on newer devices to mitigate risks from this ongoing threat.
Volt Typhoon Rebuilds KV-Botnet Malware Following Disruption
The Chinese state-sponsored hacking group known as Volt Typhoon is reportedly in the process of rebuilding its “KV-Botnet” malware botnet. This follows a disruption by law enforcement in January 2024.
Cyberespionage Threat
Volt Typhoon has been identified as a significant cyberespionage threat. The group has allegedly infiltrated critical U.S. infrastructure and various global networks for at least five years. The group primarily employs tactics that involve hacking small office/home office (SOHO) routers and networking devices. Specific models targeted include Netgear ProSAFE firewalls, Cisco RV320s, DrayTek Vigor routers, and Axis IP cameras.
The malware deployed by Volt Typhoon facilitates covert communication and proxy channels, ensuring persistent access to the networks of affected organizations.
Disruption and Resurgence
In January 2024, U.S. authorities successfully disrupted Volt Typhoon’s botnet, which involved the removal of malware from infected routers. An initial attempt by the group to resume operations in February 2024 was unsuccessful. However, reports from August 2024 indicated that Volt Typhoon exploited a zero-day vulnerability, signaling ongoing activity and adaptability.
According to SecurityScorecard, Volt Typhoon has resumed efforts to rebuild its botnet, targeting outdated Cisco and Netgear routers and managing to compromise a substantial number of devices within a month. The compromised routers are infected using MIPS-based malware and webshells, which communicate over non-standard ports, making detection challenging.
Current Operations and Recommendations
As of September 2024, Volt Typhoon is reported to have established a new network of compromised devices, primarily concentrated in Asia. The KV-Botnet, also referred to as the ‘JDYFJ Botnet’ by SecurityScorecard, has been particularly effective against Cisco RV320/325 and Netgear ProSafe series devices. In just 37 days, the group compromised approximately 30% of all internet-exposed Cisco RV320/325 devices.
The exact methods of breach remain unclear, but many of the targeted devices are no longer receiving updates due to being classified as end-of-life, which may contribute to their increased vulnerability. Researchers have limited insight into the specific malware utilized in the revived botnet, and some previously infected devices have rejoined the network.
The KV-Botnet’s operations include obfuscating malicious activities by routing traffic through compromised legitimate infrastructure, complicating detection efforts. The botnet’s command servers are registered with Digital Ocean, Quadranet, and Vultr, contributing to a diverse and resilient network structure. Notably, Volt Typhoon has leveraged a compromised VPN device located in New Caledonia, serving as a stealthy hub to route traffic between the Asia-Pacific region and America.
To mitigate the risks posed by this threat, experts recommend that users replace older and unsupported router devices, place them behind firewalls, restrict remote access to admin panels, and change default admin credentials. Users of newer SOHO routers are also advised to install the latest firmware updates to address known vulnerabilities.
Original Source: Read the Full Article Here
