New KV botnet targets Cisco, DrayTek and Fortinet devices for stealth attacks

New KV botnet targets Cisco, DrayTek and Fortinet devices for stealth attacks

A new botnet consisting of firewalls and routers from Cisco, DrayTek, Fortinet, and NETGEAR is being used as a covert data transmission network for advanced persistent threat actors, including the China-linked threat actor called Volt Typhoon.

Dubbed KV botnet According to Lumen Technologies’ Black Lotus Labs team, the malicious network is a merger of two complementary activity clusters that have been active since at least February 2022.

“The campaign infects devices at the edge of networks, a segment that has emerged as a weak spot in many companies’ defenses, exacerbated by the shift to remote work in recent years,” the company said. said.

The two clusters – codenamed KV and JDY – are said to be different, yet work together to facilitate access to high-profile victims and establish a secret infrastructure. Telemetry data shows that the botnet is controlled from IP addresses in China.

While the collision portion of JDY deals with broader scanning using less advanced techniques, the KY component, which contains largely outdated and end-of-life products, is believed to be reserved for manual operations against high-profile targets selected by the former .

Volt Typhoon is suspected to be at least one user of the KV botnet and that it includes a subset of their operational infrastructure, evidenced by the noticeable drop in activity in June and early July 2023, which coincided with the public disclosure of the interests of the hostile collective. targeting critical infrastructure in the US

1703040207 644 New KV botnet targets Cisco DrayTek and Fortinet devices for

Microsoft, which first exposed the threat actor’s tactics, said it is “attempting to blend in with normal network activity by routing traffic through compromised small offices and home offices (SOHO) networking equipment, including routers, firewalls, and VPN hardware.”

The exact initial infection mechanism used to breach the devices is currently unknown. It is followed by the first-stage malware that takes steps to remove security programs and other types of malware to ensure it is the “only presence” on these machines.

It is also designed to retrieve the main payload from a remote server, which not only returns to the same server, but can also upload and download files, execute commands and run additional modules.

Over the past month, the botnet’s infrastructure has undergone a facelift, targeting Axis IP cameras, indicating that its operators could be preparing for a new wave of attacks.

“One of the rather interesting aspects of this campaign is that all the tools seem to be completely memorized,” the researchers said. “This makes detection extremely difficult, at the expense of long-term persistence.”

“Because the malware resides entirely in memory, the end user can stop the infection by simply turning the device off and on again. While this eliminates the immediate threat, reinfection occurs frequently.”

The findings come as The Washington Post reported that two dozen critical entities in the US have been infiltrated by Volt Typhoon over the past year, including energy and water utilities, as well as communications and transportation systems.

“The hackers often attempted to mask their tracks by routing their attacks through harmless devices such as home or office routers before reaching their victims,” the report said. added.


#botnet #targets #Cisco #DrayTek #Fortinet #devices #stealth #attacks

Notify of
Inline Feedbacks
View all comments
Previous Post
Holiday Gift Card Frauds

The growing threat behind gift card fraud

Next Post
Crypto Hardware Wallet

Crypto Hardware Wallet Ledger’s supply chain breach results in theft of $600,000

Related Posts