TIP: Click on subject to list as thread! ANSI
echo: politics
to: All
from: Mike Powell
date: 2024-11-13 10:09:00
subject: Chinese hackers Volt Typh
Chinese hackers Volt Typhoon are back, and rebuilding their botnet to target
new victims

Date:
Wed, 13 Nov 2024 11:22:12 +0000

Description:
Legacy devices are again being hijacked by Volt Typhoon to target critical
infrastructure and governmental departments.

FULL STORY

US allies and authorities recently dismantled parts of a network of legacy
routers in small offices and home offices (SOHO) infected with the KV Botnet
malware, used by the notorious Volt Typhoon group to target US critical
infrastructure. 

However, a huge new botnet targeting the same vulnerable legacy edge devices
within critical infrastructure is rapidly growing, and Security Scorecards
STRIKE Team thinks it is Volt Typhoon emerging from the ashes. 

End-of-life (EOL) devices, those for which manufacturer support has ended, 
are again the main targets for this growing network.

SOHO and EOL devices 

This time, Volt Typhoon has adapted to more effectively obscure its traffic
using a number of tactics. By using SOHO and EOL devices, Volt Typhoon can
maintain persistence within legacy routers without fear of security updates
that could potentially boot them from their infrastructure. The group has 
also been spotted using MIPS-based malware to hide its connections and
communications through port forwarding via 8433. 

Webshells are also being implanted into routers to maintain remote control,
which also disguise malicious traffic inside the router's standard network
operations. Many of these devices have been detected on the Pacific island of
New Caledonia, acting as a transfer point for traffic coming from Volt 
Typhoon in the Asia-Pacific region heading into the US, and vice versa. 

The prime targets of Volt Typhoons activities are Cisco RV320/325 and Netgear
ProSafe routers. Software maintenance releases and bug fixes for the Cisco
RV320/325 ended in 2021, with STRIKE Team highlighting that Volt Typhoon
compromised 30% of visible Cisco RV320/325 routers in just 37 days, with
government and critical infrastructure being prime targets. 

STRIKE Team recommends that government departments should address weaknesses
such as the use of legacy devices within critical infrastructure to reduce 
the number of potential vulnerabilities and access points for cyber criminal
organizations and state-sponsored groups.

======================================================================
Link to news story:
https://www.techradar.com/pro/chinese-hackers-volt-typhoon-are-back-and-rebuil
ding-their-botnet-to-target-new-victims

$$
--- SBBSecho 3.20-Linux
* Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)
SOURCE: echomail via QWK@pharcyde.org

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.