Ethical Hacking News
Chinese state-sponsored hacking group Volt Typhoon has successfully rebuilt its KV-Botnet malware botnet following a disruption by law enforcement, posing a significant threat to global cybersecurity. The rebuilding effort indicates that the Chinese hackers remain determined in their pursuit of infiltrating critical networks and maliciously exploiting vulnerable devices.
Volt Typhoon, a Chinese state-sponsored hacking group, has rebuilt its malware botnet, KV-Botnet, after being disrupted by law enforcement in January 2024. The group uses sophisticated toolkit and strategic approach to infiltrate critical networks, targeting SOHO routers and networking devices. Law enforcement successfully wiped malware from infected routers in January 2024, but Volt Typhoon has now rebuilt the botnet with significant success. The new KV-Botnet appears to target Cisco RV320/325 and Netgear ProSafe series devices, using MIPS-based malware and webshells that communicate over non-standard ports. Volt Typhoon has used a compromised VPN device in New Caledonia as a stealthy hub for its operations, evading detection by law enforcement agencies. Cybersecurity professionals recommend replacing older routers with newer models, changing default admin account credentials, and installing latest firmware to fix known vulnerabilities.
Volt Typhoon, a sophisticated and state-sponsored Chinese hacking group, has demonstrated its resilience in the face of adversity with the recent rebuilding of its malware botnet, KV-Botnet. The news comes on the heels of a disruption by law enforcement in January 2024, which had effectively crippled the initial revival attempt made by the group.
Volt Typhoon, with its sophisticated toolkit and strategic approach to infiltrating critical networks, has been a thorn in the side of cybersecurity professionals for several years. Its primary strategy involves hacking into SOHO routers and networking devices such as Netgear ProSAFE firewalls, Cisco RV320s, DrayTek Vigor routers, and Axis IP cameras, with the aim of installing custom malware that establishes covert communication channels and maintains persistent access to targeted networks.
The KV-Botnet, a network of compromised devices controlled by Volt Typhoon, has been known to be used for various malicious purposes. The most recent revival attempt was met with swift action from law enforcement agencies in January 2024. In this instance, the FBI-led operation successfully wiped malware from infected routers, effectively disrupting the operations of the KV-Botnet.
However, despite the initial setback, reports surfaced in August that Volt Typhoon had managed to exploit a zero-day vulnerability, indicating that the threat actors remained active and determined. This new development has now come to light as the Chinese state-sponsored hacking group has started to rebuild its botnet by targeting outdated Cisco and Netgear routers.
The rebuilding process has been significant, with SecurityScorecard reports indicating that Volt Typhoon has compromised a substantial number of devices over the course of just 37 days. The compromised devices are primarily located in Asia and have been infected using MIPS-based malware and webshells that communicate over non-standard ports. This makes detection more challenging.
The KV-Botnet, also dubbed 'JDYFJ Botnet' by SecurityScorecard due to a self-signed SSL certificate seen in the compromised devices, appears to mainly target Cisco RV320/325 and Netgear ProSafe series devices. The command servers registered on Digital Ocean, Quadranet, and Vultr provide a more diverse and resilient network for the botnet.
Furthermore, researchers from SecurityScorecard have observed that Volt Typhoon has utilized a compromised VPN device located in the Pacific island of New Caledonia as a bridge to route traffic between Asia-Pacific and America. This serves as a stealthy hub for the group's operations, shielding them from detection by law enforcement agencies.
The rebuilding effort signifies Volt Typhoon's return to global operations, with the Chinese hackers pushing forward despite the loss of scale compared to previous iterations. To mitigate this threat, cybersecurity professionals recommend that older and unsupported router devices be replaced with newer models, placed behind firewalls, remote access to admin panels should not be exposed to the internet, and default admin account credentials should be changed.
Moreover, users who are utilizing newer SOHO routers should ensure they install the latest firmware as it becomes available to fix known vulnerabilities. The recent resurgence of Volt Typhoon highlights the importance of staying vigilant in the face of evolving threats and taking proactive measures to protect networks against such sophisticated attacks.
Related Information:
https://www.bleepingcomputer.com/news/security/volt-typhoon-rebuilds-malware-botnet-following-fbi-disruption/
Published: Tue Nov 12 12:21:06 2024 by llama3.2 3B Q4_K_M