China-backed cyber espionage group Volt Typhoon is systematically targeting legacy Cisco devices in a sophisticated and stealthy campaign to grow its attack infrastructure.
In many instances, the threat actor, known for targeting critical infrastructure, is exploiting a couple of vulnerabilities from 2019 in routers, to break into target devices and take control of them.
Targeting US Critical Infrastructure Sectors Researchers from SecurityScorecard's threat intelligence team spotted the activity when doing some follow-up investigations on recent vendor and media reports about Volt Typhoon breaking into US critical infrastructure organizations and laying the ground for potential future disruptions.
The attacks have targeted water utilities, power suppliers, transportation, and communications systems.
One of the vendor reports, from Lumen, described a botnet comprised of small office/home office routers that Volt Typhoon - and other Chinese threat groups - is using as a command-and-control network in attacks against high-value networks.
SecurityScorecard researchers used the indicators of compromise that Lumen released with its report to see if they could identify new infrastructure associated with Volt Typhoon's campaign.
The investigation showed the threat group's activity may be more extensive than previously thought, says Rob Ames, staff threat researcher at SecurityScorecard.
Volt Typhoon appears to have been responsible for compromising as much as 30% - or 325 of 1,116 - of end-of-life Cisco RV320/325 routers that SecurityScorecard observed on the C2 botnet over a 37-day period.
The security vendor's researchers observed regular connections between the compromised Cisco devices and known Volt Typhoon infrastructure between Dec. 1, 2023 and Jan. 7, 2024, suggesting a very active operation.
SecurityScorecard was able to identify multiple new IP addresses that appeared linked to Volt Typhoon activity.
Living-off-the-Land Cyberattacks Volt Typhoon is a threat group that the US Cybersecurity and Infrastructure Agency has identified as a state-sponsored Chinese threat actor targeting US critical infrastructure sectors.
Microsoft, the first to report on the group back in May 2023, has described it as being active since at least May 2021, being based in China, and conducting large-scale cyber espionage using a slew of living-off-the-land techniques.
The company has assessed the group as developing capabilities to disrupt critical communications capabilities between the US and Asia during potential future conflicts.
Ames says Volt Typhoon's use of compromised routers for data transfers is one indication of the group's commitment to stealth.
Cyber-Targeting of Vulnerable End-of-Life Gear Volt Typhoon's targeting of end-of-life devices also makes a lot of sense from the attacker's perspective, Ames says.
There are some 35 known critical vulnerabilities with a severity rating of at least 9 out of 10 on the CVSS scale - including two in CISA's Known Exploited Vulnerabilities catalog - associated with the Cisco RV320 routers that Volt Typhoon has been targeting.
In addition to the Cisco devices, the Volt Typhoon-linked botnet also includes compromised legacy DrayTek Vigor and Netgear ProSafe routers.
Callie Guenther, senior manager of cyber threat research at Critical Start, says Volt Typhoon's strategic targeting of end-of-life Cisco routers, its development of custom tools like fy.
Sh, and its geographical and sectoral targeting suggest a highly sophisticated operation.
As examples, she points to multiple threat actors targeting the so-called Ripple20 vulnerabilities in a TCP/IP stack that affected millions of legacy IoT devices, as well as Chinese and Iranian threat groups targeting flaws in older VPN products.
This Cyber News was published on www.darkreading.com. Publication date: Thu, 11 Jan 2024 22:50:03 +0000