The threat actors behind the KV-botnet made “behavioral changes” to the malicious network as U.S. law enforcement began issuing commands to neutralize the activity.

KV-botnet is the name given to a network of compromised small office and home office (SOHO) routers and firewall devices across the world, with one specific cluster acting as a covert data transfer system for other Chinese state-sponsored actors, including Volt Typhoon (aka Bronze Silhouette, Insidious Taurus, or Vanguard Panda).

Active since at least February 2022, it was first documented by the Black Lotus Labs team at Lumen Technologies in mid-December 2023. The botnet is known to comprise two main sub-groups, viz. KV and JDY, with the latter principally used for scanning potential targets for reconnaissance.

Late last month, the U.S. government announced a court-authorized disruption effort to take down the KV cluster, which is typically reserved for manual operations against high-profile targets chosen after broader scanning via the JDY sub-group.

Now, according to new findings from the cybersecurity firm, the JDY cluster fell silent for roughly fifteen days following public disclosure and as a byproduct of the U.S. Federal Bureau of Investigation (FBI) undertaking.

“In mid-December 2023, we observed this activity cluster hovering around 1500 active bots,” security researcher Ryan English said. “When we sampled the size of this cluster in mid-January 2024 its size dwindled to approximately 650 bots.”

Given that the takedown actions began with a signed warrant issued on December 6, 2023, it’s fair to assume that the FBI began transmitting commands to routers located in the U.S. sometime on or after that date to wipe the botnet payload and prevent them from being re-infected.

“We observed the KV-botnet operators begin to restructure, committing eight straight hours of activity on December 8, 2023, nearly ten hours of operations the following day on December 9, 2023, followed by one hour on December 11, 2023,” Lumen said in a technical report shared with The Hacker News.

During this four-day period, the threat actor was spotted interacting with 3,045 unique IP addresses that were associated with NETGEAR ProSAFEs (2,158), Cisco RV 320/325 (310), Axis IP cameras (29), DrayTek Vigor routers (17), and other unidentified devices (531).

Also observed in early December 2023 was a massive spike in exploitation attempts from the payload server, indicating the adversary’s likely attempts to re-exploit the devices as they detected their infrastructure going offline. Lumen said it also took steps to null-route another set of backup servers that became operational around the same time.

It’s worth noting that the operators of the KV-botnet are known to perform their own reconnaissance and targeting while also supporting multiple groups like Volt Typhoon. Interestingly, the timestamps associated with exploitation of the bots correlates to China working hours.

“Our telemetry indicates that there were administrative connections into the known payload servers from IP addresses associated with China Telecom,” Danny Adamitis, principal information security engineer at Black Lotus Labs, told The Hacker News.

What’s more, the statement from the U.S. Justice Department described the botnet as controlled by “People’s Republic of China (PRC) state-sponsored hackers.”

This raises the possibility that the botnet “was created by an organization supporting the Volt Typhoon hackers; whereas if the botnet was created by Volt Typhoon, we suspect they would have said ‘nation-state’ actors,” Adamitis added.

There are also signs that the threat actors established a third related-but-distinct botnet cluster dubbed x.sh as early as January 2023 that’s composed of infected Cisco routers by deploying a web shell named “fys.sh,” as highlighted by SecurityScorecard last month.

But with KV-botnet being just “one form of infrastructure used by Volt Typhoon to obfuscate their activity,” it’s expected that the recent wave of actions will prompt the state-sponsored actors to presumably transition to another covert network in order to meet their strategic goals.

“A significant percent of all networking equipment in use around the world is functioning perfectly well, but is no longer supported,” English said. “End users have a difficult financial choice when a device reaches that point, and many aren’t even aware that a router or firewall is at the end of its supported life.

“Advanced threat actors are well aware that this represents fertile ground for exploitation. Replacing unsupported devices is always the best choice, but not always feasible.”

“Mitigation involves defenders adding their edge devices to the long list of those they already have to patch and update as often as available, rebooting devices and configuring EDR or SASE solutions where applicable, and keeping an eye on large data transfers out of the network. Geofencing is not a defense to rely on, when the threat actor can hop from a nearby point.”

The U.S. government on Wednesday said it took steps to neutralize a botnet comprising hundreds of U.S.-based small office and home office (SOHO) routers hijacked by a China-linked state-sponsored threat actor called Volt Typhoon and blunt the impact posed by the hacking campaign.

The existence of the botnet, dubbed KV-botnet, was first disclosed by the Black Lotus Labs team at Lumen Technologies in mid-December 2023. The law enforcement effort was reported by Reuters earlier this week.

“The vast majority of routers that comprised the KV-botnet were Cisco and NetGear routers that were vulnerable because they had reached ‘end of life’ status; that is, they were no longer supported through their manufacturer’s security patches or other software updates,” the Department of Justice (DoJ) said in a press statement.

Volt Typhoon (aka DEV-0391, Bronze Silhouette, or Vanguard Panda) is the moniker assigned to a China-based adversarial collective that has been attributed to cyber attacks targeting critical infrastructure sectors in the U.S. and Guam.

“Chinese cyber actors, including a group known as ‘Volt Typhoon,’ are burrowing deep into our critical infrastructure to be ready to launch destructive cyber attacks in the event of a major crisis or conflict with the United States,” CISA Director Jen Easterly noted.

The cyber espionage group, believed to be active since 2021, is known for its reliance on legitimate tools and living-off-the-land (LotL) techniques to fly under the radar and persist within victim environments for extended periods of time to gather sensitive information.

Another important aspect of its modus operandi is that it tries to blend into normal network activity by routing traffic through compromised SOHO network equipment, including routers, firewalls, and VPN hardware, in an attempt to obfuscate their origins.

This is accomplished by means of the KV-botnet, which commandeers devices from Cisco, DrayTek, Fortinet, and NETGEAR for use as a covert data transfer network for advanced persistent threat actors. It’s suspected that the botnet operators offer their services to other hacking outfits, including Volt Typhoon.

In January 2024, a report from SecurityScorecard this month revealed how the botnet has been responsible for compromising as much as 30% — or 325 of 1,116 — of end-of-life Cisco RV320/325 routers over a 37-day period from December 1, 2023, to January 7, 2024.

“Volt Typhoon is at least one user of the KV-botnet and […] this botnet encompasses a subset of their operational infrastructure,” Lumen Black Lotus Labs said, adding the botnet “has been active since at least February 2022.”

The botnet is also designed to download a virtual private network (VPN) module to the vulnerable routers and set up a direct encrypted communication channel to control the botnet and use it as an intermediary relay node to achieve their operational goals.

“One function of the KV-botnet is to transmit encrypted traffic between the infected SOHO routers, allowing the hackers to anonymize their activities (i.e., the hackers appear to be operating from the SOHO routers, versus their actual computers in China),” according to affidavits filed by the U.S. Federal Bureau of Investigation (FBI).

As part of its efforts to disrupt the botnet, the agency said it remotely issued commands to target routers in the U.S. using the malware’s communication protocols to delete the KV-botnet payload and prevent them from being re-infected. The FBI said it also notified every victim about the operation, either directly or via their internet service provider if contact information was not available.

“The court-authorized operation deleted the KV-botnet malware from the routers and took additional steps to sever their connection to the botnet, such as blocking communications with other devices used to control the botnet,” the DoJ added.

It’s important to point out here that the unspecified prevention measures employed to remove the routers from the botnet are temporary and cannot survive a reboot. In other words, simply restarting the devices would render them susceptible to re-infection.

“The Volt Typhoon malware enabled China to hide, among other things, pre-operational reconnaissance and network exploitation against critical infrastructure like our communications, energy, transportation, and water sectors – steps China was taking, in other words, to find and prepare to destroy or degrade the civilian critical infrastructure that keeps us safe and prosperous,” FBI Director Christopher Wray said.

However, the Chinese government, in a statement shared with Reuters, denied any involvement in the attacks, dismissing it as a “disinformation campaign” and that it “has been categorical in opposing hacking attacks and the abuse of information technology.”

Coinciding with the takedown, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published new guidance urging SOHO device manufacturers to embrace a secure by design approach during development and shift the burden away from customers.

Specifically, it’s recommending that manufacturers eliminate exploitable defects in SOHO router web management interfaces and modify default device configurations to support automatic update capabilities and require a manual override to remove security settings.

The compromise of edge devices such as routers for use in advanced persistent attacks mounted by Russia and China highlights a growing problem that’s compounded by the fact that legacy devices no longer receive security patches and do not support endpoint detection and response (EDR) solutions.

“The creation of products that lack appropriate security controls is unacceptable given the current threat environment,” CISA said. “This case exemplifies how a lack of secure by design practices can lead to real-world harm both to customers and, in this case, our nation’s critical infrastructure.”

Dec 15, 2023NewsroomBotnet / Advanced Persistent Threat

A new botnet consisting of firewalls and routers from Cisco, DrayTek, Fortinet, and NETGEAR is being used as a covert data transfer network for advanced persistent threat actors, including the China-linked threat actor called Volt Typhoon.

Dubbed KV-botnet by the Black Lotus Labs team at Lumen Technologies, the malicious network is an amalgamation of two complementary activity clusters that have been active since at least February 2022.

“The campaign infects devices at the edge of networks, a segment that has emerged as a soft spot in the defensive array of many enterprises, compounded by the shift to remote work in recent years,” the company said.

The two clusters – codenamed KV and JDY – are said to be distinct yet working in tandem to facilitate access to high-profile victims as well as establish covert infrastructure. Telemetry data suggests that the botnet is commandeered from IP addresses based in China.

While the bots part of JDY engages in broader scanning using less sophisticated techniques, the KY component, featuring largely outdated and end-of-life products, is assessed to be reserved for manual operations against high-profile targets selected by the former.

It’s suspected that Volt Typhoon is at least one user of the KV-botnet and it encompasses a subset of their operational infrastructure, which is evidenced by the noticeable decline in operations in June and early July 2023, coinciding with the public disclosure of the adversarial collective’s targeting of critical infrastructure in the U.S.

Microsoft, which first exposed the threat actor’s tactics, said it “tries to blend into normal network activity by routing traffic through compromised small office and home office (SOHO) network equipment, including routers, firewalls, and VPN hardware.”

The exact initial infection mechanism process used to breach the devices is currently unknown. It’s followed by the first-stage malware taking steps to remove security programs and other malware strains so as to ensure that it’s the “only presence” on these machines.

It’s also designed to retrieve the main payload from a remote server, which, in addition to beaconing back to the same server, is also capable of uploading and downloading files, running commands, and executing additional modules.

Over the past month, the botnet’s infrastructure has received a facelift, targeting Axis IP cameras, indicating that the operators could be gearing up for a new wave of attacks.

“One of the rather interesting aspects of this campaign is that all the tooling appears to reside completely in-memory,” the researchers said. “This makes detection extremely difficult, at the cost of long-term persistence.”

“As the malware resides completely in-memory, by simply power-cycling the device the end user can cease the infection. While that removes the imminent threat, re-infection is occurring regularly.”

The findings arrive as The Washington Post reported that two dozen critical entities in the U.S. have been infiltrated by Volt Typhoon over the past year, including power and water utilities as well as communications and transportation systems.

“The hackers often sought to mask their tracks by threading their attacks through innocuous devices such as home or office routers before reaching their victims,” the report added.