Malware hunters in the United States have set eyes on an impossible to kill botnet packed with end-of-life SOHO routers serving as a covert data transfer network for Volt Typhoon, a Chinese government-backed hacking group previously caught targeting US critical infrastructure.
The discovery of the botnet, which is packed with outdated Cisco, Netgear and Fortinet devices, adds a new twist to the scramble to mitigate the damage from Volt Typhoon infections first spotted at critical infrastructure organizations in Guam, a U.S. territory in the Pacific Ocean.
Volt Typhoon, flagged by Microsoft and US government officials as a Chinese APT showcasing the ability to disrupt critical communications infrastructure, has burrowed deep into thousands of organizations spanning communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and the education sectors.
According to new research from Black Lotus Labs (the threat-intel arm of Lumen Technologies) the Chinese hackers have seized control of hundreds of old, outdated routers and set up a Tor-like covert data transfer network to perform malicious operations.
In an interview with SecurityWeek, Black Lotus Labs researcher Danny Adamitis said the collection of hijacked routers (called KV-botnet based on artifacts in the malware), features a complex infection process and a well concealed command-and-control framework.
Adamitis said botnet is made up primarily of end-of-life products that are vulnerable to critical security issues. Vendors have stopped shipping security patches for these devices, meaning they will remain unpatched.
“The only solution is to rip and replace these things,” Adamitis said, noting that his team has found Cisco RV320s, DrayTek Vigor routers and Netgear ProSAFEs devices.
In a sign that the hacking group may be preparing for a new wave of attacks over the holidays, Adamitis said hijacked Axis IP cameras have been added to the botnet amidst a remodeling of the infrastructure of the botnet.
“Taking note of the structural changes, targeting of new device types like IP cameras, and mass exploitation in early December, we suspect this could be a precursor to increased activity during the holiday season,” the company warned in a report to be released Wednesday.
Adamitis said Black Lotus Labs will be releasing the malware and related artifacts publicly to help organizations mitigate the threat and plan for upcoming attacks.
The company also released a detailed technical analysis of the intricacies of the botnet and multiple data points with evidence of links to Volt Typhoon. Adamitis also called special attention to hands-on-keyboard manual operations and clever steps to avoid security software and stay below the radar.
“We assess that this trend of utilizing compromised firewalls and routers will continue to emerge as a core component of threat actor operations, both to enable access to high-profile victims and to establish covert infrastructure,” Black Lotus Labs warned, noting that end-of-life routers are still widely deployed at major organizations around the world.
“While we would classify the majority of the KV infections as opportunistic; this cluster infected SOHO devices associated with a handful of high value networks. Examples include a US judicial organization and a US organization that manages a satellite-based network,” according to the report.
“There is a large supply of vastly out-of-date and generally considered end-of-life edge devices on the internet, no longer eligible to receive patches. Additionally, because these models are associated with home and small business users, it’s likely many targets lack the resources and expertise to monitor or detect malicious activity and perform forensics,” Adamitis said.
He noted that the hijacked router models are all able to handle medium-to-large data bandwidth, meaning there is likely no noticeable impact to the legitimate users.
Black Lotus Labs is urging network defenders to look closely for large data transfers out of the network, even if the destination IP address is physically located in the same geographical area.
Related: Mandiant Intelligence Chief Raises Alarm for ‘Volt Typhoon’ in US Critical Infrastructure
Related: Microsoft Catches Chinese .Gov Hackers Targeting US Critical Infrastructure
Related: Fortinet Warns Customers of Possible Zero-Day Exploited in Limited Attacks
Related: AWS Using MadPot Decoy System to Disrupt APTs, Botnets