Researchers have discovered an Internet of Things botnet linked with attacks against multiple US government and communications organizations.
It comes built with a series of stealth mechanisms and the ability to spread further into local area networks.
One notable subscriber is the Volt Typhoon advanced persistent threat, the headline-grabbing Chinese state-aligned threat actor known for attacks against US critical infrastructure.
The platform appears to have been involved in previously reported Volt Typhoon campaigns against two telecommunications firms, an Internet service provider, and a US government organization based in Guam.
It only represents a portion of Volt Typhoon's infrastructure and there are almost certainly other threat actors also using it.
Inside the KV-Botnet Since at least February 2022, KV-Botnet has primarily infected SOHO routers including the Cisco RV320, DrayTek Vigor, and Netgear ProSafe product lines.
As of mid-November, it expanded to exploit IP cameras developed by Axis Communications.
Most KV-Botnet infections so far appear to fall into the latter cluster.
With that said, the botnet has brushed up against a number of previously undisclosed high-profile organizations, including a judicial institution, a satellite network provider, and military entities from the US, as well as a renewable energy company based in Europe.
The program is perhaps most notable for its advanced, layered stealth.
It checks for and terminates a series of processes and security tools running on the infected device, runs under the name of a random file already on the device, and generates random ports for command-and-control communication, all in an effort to avoid detection.
Its best stealth perks are inherent to the devices it infects in the first place.
The Benefit of a SOHO Botnet While outing the group in May, Microsoft researchers made note of how Volt Typhoon proxied all of its malicious traffic through SOHO network edge devices - firewalls, routers, VPN hardware.
One reason might be the fact that residential devices are particularly useful for concealing malicious traffic, explains Jasson Casey, CEO of Beyond Identity.
The relatively high bandwidth of SOHO equipment, compared with their typical workload, means that even a malicious botnet creates little impact observable by the average user.
The Lumen researchers noted a number of other benefits, too, like the high ratio of end-of-life devices still operating in a vulnerable state every day, and how such devices allow attackers to bypass geofencing restrictions.
No functions within the KV-Botnet binary are designed to cause further infections in targets' broader local area networks.
This Cyber News was published on www.darkreading.com. Publication date: Thu, 14 Dec 2023 22:21:10 +0000