Malware hunters in the United States have set eyes on an impossible to kill botnet packed with end-of-life SOHO routers serving as a covert data transfer network for Volt Typhoon, a Chinese government-backed hacking group previously caught targeting US critical infrastructure.
The discovery of the botnet, which is packed with outdated Cisco, Netgear and Fortinet devices, adds a new twist to the scramble to mitigate the damage from Volt Typhoon infections first spotted at critical infrastructure organizations in Guam, a U.S. territory in the Pacific Ocean.
Volt Typhoon, flagged by Microsoft and US government officials as a Chinese APT showcasing the ability to disrupt critical communications infrastructure, has burrowed deep into thousands of organizations spanning communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and the education sectors.
According to new research from Black Lotus Labs the Chinese hackers have seized control of hundreds of old, outdated routers and set up a Tor-like covert data transfer network to perform malicious operations.
In an interview with SecurityWeek, Black Lotus Labs researcher Danny Adamitis said the collection of hijacked routers, features a complex infection process and a well concealed command-and-control framework.
Adamitis said botnet is made up primarily of end-of-life products that are vulnerable to critical security issues.
Vendors have stopped shipping security patches for these devices, meaning they will remain unpatched.
In a sign that the hacking group may be preparing for a new wave of attacks over the holidays, Adamitis said hijacked Axis IP cameras have been added to the botnet amidst a remodeling of the infrastructure of the botnet.
Adamitis said Black Lotus Labs will be releasing the malware and related artifacts publicly to help organizations mitigate the threat and plan for upcoming attacks.
The company also released a detailed technical analysis of the intricacies of the botnet and multiple data points with evidence of links to Volt Typhoon.
Adamitis also called special attention to hands-on-keyboard manual operations and clever steps to avoid security software and stay below the radar.
He noted that the hijacked router models are all able to handle medium-to-large data bandwidth, meaning there is likely no noticeable impact to the legitimate users.
Black Lotus Labs is urging network defenders to look closely for large data transfers out of the network, even if the destination IP address is physically located in the same geographical area.
This Cyber News was published on www.securityweek.com. Publication date: Wed, 13 Dec 2023 17:43:24 +0000