Tag Archive for: Volt

Router botnet tied to Volt Typhoon’s critical infrastructure breaches

/in


Chinese threat group Volt Typhoon used a sophisticated botnet of unsecured home and small business routers to stealthily transfer data during a major campaign targeting U.S. critical infrastructure discovered earlier this year.

The group’s actions raised alarm in the intelligence community when they were first reported in May because of the breadth and potential impact of its attacks. Organizations across a range of sectors, including government, defense, communications, IT and utilities were targeted.

One victim was a critical infrastructure organization in the U.S. territory of Guam. There were fears the breach could be a precursor to an attack aimed at disrupting U.S. military capabilities in the nearby South China Sea.

KV-botnet comprised of end-of-life routers

In a Dec. 13 post, Lumen Technologies said following the discovery of the attacks, its Black Lotus Labs division discovered Volt Typhoon — and possibly other advanced persistent threat (APT) actors — had used a botnet as a data transfer network as part of its operations.

Dubbed KV-botnet, it was a network of mainly end-of-life infected small office/home office (SOHO) routers made by Cisco, DrayTek and Netgear.

“The KV-botnet features two distinct logical clusters, a complex infection process and a well-concealed command-and-control (C2) framework,” the researchers said. “The operators of this botnet meticulously implement tradecraft and obfuscation techniques.”

There were several advantages of building a botnet from older SOHO routers, they said, including the large number available, the lack of security measures and patching they were subjected to, and the significant data bandwidth they could handle without raising suspicion.

“Additionally, because these models are associated with home and small business users, it’s likely many targets lack the resources and expertise to monitor or detect malicious activity and perform forensics.”

In a separate statement, Lumen said KV-botnet had enabled Volt Typhoon to maintain secret communication channels that merged with normal network traffic, avoiding security barriers and firewalls.

“This botnet was essential for their strategic intelligence collection operations,…

Source…

Volt Typhoon-Linked SOHO Botnet Infects Multiple US Gov’t Entities

/in


Researchers have discovered an Internet of Things (IoT) botnet linked with attacks against multiple US government and communications organizations.

The “KV-Botnet,” revealed in a report from Lumen’s Black Lotus Labs, is designed to infect small-office home-office (SOHO) network devices developed by at least four different vendors. It comes built with a series of stealth mechanisms and the ability to spread further into local area networks (LANs).

One notable subscriber is the Volt Typhoon advanced persistent threat (aka Bronze Silhouette), the headline-grabbing Chinese state-aligned threat actor known for attacks against US critical infrastructure. The platform appears to have been involved in previously reported Volt Typhoon campaigns against two telecommunications firms, an Internet service provider (ISP), and a US government organization based in Guam. It only represents a portion of Volt Typhoon’s infrastructure, though, and there are almost certainly other threat actors also using it.

Inside the KV-Botnet

Since at least February 2022, KV-Botnet has primarily infected SOHO routers including the Cisco RV320, DrayTek Vigor, and Netgear ProSafe product lines. As of mid-November, it expanded to exploit IP cameras developed by Axis Communications.

Administered from IP addresses located in China, the botnet can be broadly split into two groups: the “KY” cluster, involving manual attacks against high-value targets, and the “JDY” cluster, involving broader targeting and less sophisticated techniques.

Most KV-Botnet infections so far appear to fall into the latter cluster. With that said, the botnet has brushed up against a number of previously undisclosed high-profile organizations, including a judicial institution, a satellite network provider, and military entities from the US, as well as a renewable energy company based in Europe.

The program is perhaps most notable for its advanced, layered stealth. It resides completely in memory (although, on the flip side, this means it can be booted with a simple device restart). It checks for and terminates a series of processes and security tools running on the infected device, runs under the name of a random file already on the device, and…

Source…

Microsoft & NSA expose Chinese-sponsored Volt Typhoon hacking group

/in


Published: 2023-05-26T12:29:45

  ❘   Updated: 2023-05-26T12:29:51

A hacker group named Volt Typhoon has been exposed by the NSA and Microsoft, as they issue a new cybersecurity warning around its actions online.

Microsoft and the NSA have published a security bulletin detailing how a hacking group, Volt Typhoon, managed to work its way into “critical infrastructure organizations in the United States”. Outside of the concern surrounding the hacks, Microsoft has stated that they are “a state-sponsored actor based in China”.

Volt Typhoon have been active since 2021, having struck Guam and the United States previously. Previous attacks have seen everything from transportation, construction, and education sectors of the US’ infrastructure attacked since they appeared on the scene.

Article continues after ad

Microsoft details hacking group’s techniques for hitting infrastructure

Microsoft logo next to a statue of AthenaMicrosoft / Pexels

The theorized idea behind the hack attempts appears to be the disruption of “critical communications infrastructure”. If a crisis were to occur in the future, could potentially put communication in jeopardy between the US and Asia.

A key point of entry that Microsoft has pinpointed as an issue is Fortinet FortiGuard devices. These devices are vital parts of security on networks in industries. Once Volt Typhoon has harvested credentials, it blasts the network trying to find a way into the network through SOHO (small home and home office) network devices, like home routers.

Article continues after ad

Once it has found access to the network, Microsoft says that Volt Typhoon can “expose HTTP or SSH management interfaces to the internet”. Breaking that down, it just allows external users to issue commands as if they were on the PC. Of course, the user themselves can prevent this, and have been advised to close off access.

Subscribe to our newsletter for the latest updates on Esports, Gaming and more.

An interesting thing to note about Volt Typhoon’s activity is that Microsoft says they rarely use malware in their attacks. Instead, once they’ve gained enough access, they use anything from basic to advanced command line instructions…

Source…

Volt Typhoon and other Chinese groups accused of hacking the US and others

/in


[1/2] U.S. and Chinese flags are seen in this illustration taken, January 30, 2023. REUTERS/Dado Ruvic/Illustration

SINGAPORE, May 25 (Reuters) – Chinese hacking teams have been blamed by Western intelligence agencies and cybersecurity groups for digital intrusion campaigns across the world, targeting everything from government and military organisations to corporations and media groups

Cybersecurity firms believe many of those groups are backed by China’s government. U.S.-based Mandiant has said some Chinese hacking groups are operated by units of China’s army.

China’s authorities have consistently denied any form of state-sponsored hacking, saying China itself is a frequent target of cyberattacks. It has dubbed the U.S. National Security Agency (NSA) as “the world’s largest hacker organisation”.

Some of the biggest Chinese hacking teams identified by intelligence agencies and cybersecurity groups are:

‘VOLT TYPHOON’

Western intelligence agencies and Microsoft (MSFT.O) said on May 24 that Volt Typhoon, a group they described as state-sponsored, had been spying on a range of U.S. critical infrastructure organisations, from telecommunications to transportation hubs.

They described the attacks in 2023 as one of the largest known Chinese cyber-espionage campaigns against American critical infrastructure.

China’s foreign ministry described the reports as part of a U.S. disinformation campaign.

‘BACKDOORDIPLOMACY’

Palo Alto Networks, a U.S. cybersecurity firm, says its research showed BackdoorDiplomacy has links to the Chinese state and is part of the APT15 hacking group.

A Reuters report in May identified BackdoorDiplomacy as being behind a widespread series of digital intrusions over several years against key Kenyan ministries and state institutions. The Chinese authorities said it was not aware of such hacking and described the accusations as baseless.

APT 41

Chinese hacking team APT 41, which is also known as Wintti, Double Dragon and Amoeba, has conducted a mix of government-backed cyber intrusions and financially motivated data breaches, according to U.S.-based cybersecurity firms FireEye and Mandiant.

The U.S secret service said the team had stolen U.S. COVID relief benefits worth tens of…

Source…