Ethical Hacking News
China's Volt Typhoon crew has resurfaced with a vengeance, compromising critical infrastructure networks and launching devastating cyberattacks. A new wave of Chinese cyber espionage threatens global critical infrastructure, highlighting the need for organizations to prioritize cybersecurity and stay vigilant in the face of evolving threats.
The notorious cyber spy group Volt Typhoon has resurfaced with a vengeance after being thought to have been dismantled by the FBI in 2023. The botnet has successfully exploited outdated Cisco and Netgear routers to break into critical infrastructure networks and launch devastating cyberattacks. Security experts had warned about Volt Typhoon's continued activity in the months leading up to its reported return. The botnet has compromised 30% of visible Cisco RV320/325 routers in just 37 days, according to a recent report by SecurityScorecard's STRIKE Team.
China's Volt Typhoon crew, a notorious group of cyber spies linked to the Chinese government, has once again resurfaced with a vengeance. The botnet, which was thought to have been dismantled by the FBI in 2023, has successfully exploited outdated Cisco and Netgear routers to break into critical infrastructure networks and launch devastating cyberattacks.
The resurgence of Volt Typhoon comes as no surprise to security researchers and experts, who had warned about the group's continued activity in the months leading up to its reported return. In a recent report, SecurityScorecard's Threat Research, Intelligence, Knowledge, and Engagement (STRIKE) Team revealed that the botnet had compromised 30 percent of visible Cisco RV320/325 routers in just 37 days.
The attack timeline of Volt Typhoon is a concerning one. The group first gained notoriety in 2023, after Microsoft and intelligence agencies from the Five Eyes nations disclosed that it had accessed networks belonging to US critical infrastructure organizations. The spy gang built a botnet from Cisco and Netgear routers identified by a self-signed SSL certificate named JDYFJ, which used command-and-control (C2) infrastructure in the Netherlands, Latvia, and Germany to disguise its malicious traffic.
By October 2023, Volt Typhoon had taken up occupancy, rent-free, on a compromised VPN device in New Caledonia. This created a covert bridge between Asia-Pacific and the Americas that kept "their network alive, hidden from standard detection," Sherstobitoff wrote.
However, in January 2024, the FBI-led effort disrupted some of Volt Typhoon's infrastructure, but the group quickly set up new command-and-control servers on Digital Ocean, Quadranet, and Vultr, as well as registering fresh SSL certificates to avoid detection. As of September, "the botnet persists," Sherstobitoff wrote, using the JDYFJ cluster to route traffic globally.
This report comes as government officials and private security firms alike have noted an uptick in Chinese cyber spy activity on US and global networks. In August, Lumen Technologies' Black Lotus Labs warned that Volt Typhoon had abused a Versa SD-WAN vulnerability CVE-2024-39717 to plant custom, credential-harvesting web shells on customers' networks.
Furthermore, another Chinese-government-backed group dubbed Salt Typhoon was accused of breaking into US telecom providers' infrastructure. These intrusions came to light in October, with the spies reportedly breaching Verizon, AT&T, and Lumen Technologies.
Additionally, the FBI revealed that international cops disrupted a 260,000-device botnet controlled by a different Beijing-linked goon squad: Flax Typhoon. This group had been building the Mirai-based botnet since 2021 and targeted US critical infrastructure, government, and academics.
The resurgence of Volt Typhoon is a stark reminder of the ongoing threat posed by Chinese cyber espionage. The group's continued activity highlights the need for organizations to prioritize cybersecurity and to stay vigilant in the face of evolving threats.
In conclusion, Volt Typhoon's return marks a new wave of Chinese cyber espionage that threatens global critical infrastructure. The botnet's resurgence comes as no surprise to security experts, who had warned about its continued activity in the months leading up to its reported return. The group's tactics and methods are as sophisticated as ever, making it essential for organizations to take immediate action to protect themselves against this threat.
Related Information:
https://go.theregister.com/feed/www.theregister.com/2024/11/13/china_volt_typhoon_back/
https://www.theregister.com/2024/11/13/china_volt_typhoon_back/
https://www.axios.com/2024/11/12/china-volt-typhoon-returns-security-scorecard
Published: Tue Nov 12 20:16:47 2024 by llama3.2 3B Q4_K_M