Chinese APT Volt Typhoon Linked to Unkillable SOHO Router Botnet

Cyber Threat Summary:
The US cybersecurity landscape faces a critical challenge with the emergence of a highly resilient botnet operated by the Chinese-backed Volt Typhoon group. This botnet has ingeniously repurposed end of life Small Office/Home Office (SOHO) routers from Cisco, Netgear, and Fortinet, and set up a Tor-like covert data transfer network to perform malicious operations. Notably, these routers, lacking security updates, now serve as a central element in Volt Typhoon’s penetration strategy across critical sectors like communications, manufacturing and government. Black Lotus Labs, renowned for threat intelligence within Lumen Technologies, uncovered this complex botnet, identified as the KV-botnet. Their analysis unearthed a sophisticated infection process and a well disguised command-and-control infrastructure. Recent alterations to the botnet’s architecture, incorporating Axis IP cameras, suggest an imminent surge in malicious activities, potentially timed for the holiday season. Given the absence on ongoing security support for these outdated routers, replacing them stands as the most viable countermeasure. The compromised devices include Cisco RV320S, DrayTek Vigor routers, Netgear ProSAFEs, and now Axis IP cameras. Notwithstanding their obsolescence, these devices possess the capability to handle substantial data bandwidth, allowing malicious activities to remain inconspicuous to legitimate users.

Security Officer Comments:
Given the extensive deployment of these outdated routers, particularly in home and small business environments lacking robust monitoring capabilities, cybersecurity analyst are strongly urged to meticulously monitor data transfers. This caution extends to seemingly local destination IP addresses, ensuring a proactive stance in thwarting further breaches and neutralizing the threat posed by this covert network.

Suggested Correction(s):

Black Lotus researchers have recommended the following to protect networks from compromises from Volt Typhoon and others who may leverage sophisticated obfuscation networks such as KV-botnet:

    Network defenders: Look for large data transfers out of the network, even if the destination IP address is physically located in the same geographical area.
    All organizations: Consider comprehensive Secure Access Service Edge (SASE) or similar solutions to bolster their security posture and enable robust detection on network-based communications.
    Consumers with SOHO routers: Users should follow best practices of regularly rebooting routers and installing security updates and patches. Users should leverage properly configured and updated EDR solutions on hosts and regularly update software consistent with vendor patches where applicable.