Chinese state-sponsored hackers are targeting old vulnerabilities in Cisco routers in new attacks apparently aimed at government entities in the US, UK, and Australia, cybersecurity firm SecurityScorecard reports.
As part of the observed attacks, the adversaries exploited CVE-2019-1653 and CVE-2019-1652, two critical-severity bugs in discontinued Cisco small business RV320/325 VPN routers, which have been targeted by Chinese hackers before and are also featured in CISA’s KEV catalog.
According to SecurityScorecard, the China-linked advanced persistent threat (APT) actor Volt Typhoon likely compromised one-third of the vulnerable devices observed by the company.
Specifically, over a 37-day period, 325 out of 1,116 devices were seen connecting to two IP addresses used as proxy routers for command-and-control (C&C) communication, suggesting that they might be part of the same Volt Typhoon-linked botnet of compromised devices.
In fact, Volt Typhoon is known to target small office and home office (SOHO) routers from Cisco and DrayTek and other edge devices, including Netgear firewalls and Axis IP cameras, and use them to covertly transfer data.
Using the indicators of compromise (IoCs) provided in a recent Black Lotus Labs report on Volt Typhoon, SecurityScorecard was able to track a shift in infrastructure usage between late-November 2023 and early January 2024, and to discover a new shell file that infected devices would fetch and execute.
In an extensive technical writeup, the cybersecurity firm says it was able to identify two other IP addresses associated with previously detailed Volt Typhoon-linked C&C infrastructure, by monitoring the traffic from the IP where an APT-compromised Cisco RV325 router is known to be located.
Given that this compromised device is in New Caledonia, the cybersecurity firm believes that it serves as a transit point for Volt Typhoon-related traffic. SecurityScorecard also speculates that the compromise might position the APT in a suitable position to target global communications.
“The available analysis of Volt Typhoon has highlighted its targeting of communications between APAC and the Americas – its intrusions into the networks of telecommunications providers and other critical infrastructure in Guam attracted particular attention in previous reporting–so its exploitation of telecommunications infrastructure on another Pacific island may be in keeping with this previous behavior,” the cybersecurity firm says.
Further analysis of the traffic between known Volt Typhoon infrastructure and likely compromised devices led SecurityScorecard to the conclusion that the APT may operate a much more extensive botnet than previously believed.
Further inspection of the traffic showed connections to the group’s infrastructure from 27 IP addresses hosting 69 US, UK, Australian, and Indian government sites, suggesting expanded targeting from Volt Typhoon.
“While public reporting on Volt Typhoon has not previously noted its targeting of Australian or UK government assets in addition to US ones, such activity would be in keeping with PRC nation-state cyber activity more generally, as these countries’ roles in the Western alliance system (including their Five Eyes and AUKUS membership) have contributed to their frequent targeting by China-linked APT group,” SecurityScorecard says.