Tech News
China’s Volt Typhoon rebuilds botnet in wake of takedown
The notorious Chinese state threat actor known as Volt Typhoon is making a strong comeback following a disruption of its botnet infrastructure in a US-led takedown in February 2024.
Volt Typhoon’s malicious botnet consisted of hundreds of Cisco and Netgear small and home office (SOHO) routers that had reached end-of-life (EOL) status, rendering them vulnerable as they no longer received security updates.
The threat actor infected these routers with KV Botnet malware to mask the source of subsequent hacks targeting critical national infrastructure (CNI) operations in the US and other countries.
After nine months, SecurityScorecard’s threat analysts have observed that Volt Typhoon is back in action and appears to be more sophisticated and determined than ever.
The Strike Team at SecurityScorecard has analyzed vast amounts of data from their risk management infrastructure and concluded that Volt Typhoon is evolving and strengthening its operations following the setback.
Ryan Sherstobitoff, Senior Vice President of Threat Research and Intelligence at SecurityScorecard, emphasized the growing threat posed by Volt Typhoon and the urgent need for governments and corporations to address vulnerabilities in legacy systems, public cloud infrastructures, and third-party networks.
Volt Typhoon has recently set up new command servers using hosting services like Digital Ocean, Quadranet, and Vultr, and has obtained fresh SSL certificates to evade detection by authorities.
The group continues to exploit vulnerabilities in Cisco RV320/325 and Netgear ProSafe routers, compromising a significant number of these devices globally within a short period.
Sherstobitoff revealed that Volt Typhoon’s complex network is built on compromised SOHO and EOL devices, using outdated routers to conceal their activities and make detection challenging.
He explained that the group employs MIPS-based malware similar to Mirai on these devices to establish covert connections and communicate through port forwarding over 8443, effectively concealing their command operations.
As of September 2024, Volt Typhoon’s new botnet cluster was observed routing traffic worldwide, with a compromised VPN device acting as a bridge between Asia-Pacific and the US, located in New Caledonia.
Sherstobitoff warned that CNI operators remain prime targets for Chinese state-sponsored attackers due to their crucial role in economic stability, exacerbated by their reliance on legacy technology, creating vulnerabilities for disruption.
He noted that many third-party tech suppliers lack robust defenses, providing APT actors like Volt Typhoon with easy entry points.
-
Destination3 months ago
Singapore Airlines CEO set to join board of Air India, BA News, BA
-
Tech News7 months ago
Bangladeshi police agents accused of selling citizens’ personal information on Telegram
-
Motivation6 months ago
The Top 20 Motivational Instagram Accounts to Follow (2024)
-
Guides & Tips5 months ago
Have Unlimited Korean Food at MANY Unlimited Topokki!
-
Guides & Tips5 months ago
Satisfy Your Meat and BBQ Cravings While in Texas
-
Gaming4 months ago
The Criterion Collection announces November 2024 releases, Seven Samurai 4K and more
-
Self Development7 months ago
Don’t Waste Your Time in Anger, Regrets, Worries and Grudges
-
Toys6 months ago
15 of the Best Trike & Tricycles Mums Recommend