Technology

Chinese hackers Volt Typhoon are back, and rebuilding their botnet to target new victims

November 13, 2024

Volt Typhoon is rapidly rebuilding its botnet of legacy routers
Traffic is being obscured through webshells and MIPS-based malware
Critical infrastructure needs to upgrade away from EOL devices

US allies and authorities recently dismantled parts of a network of legacy routers in small offices and home offices (SOHO) infected with the KV Botnet malware, used by the notorious Volt Typhoon group to target US critical infrastructure.

However, a huge new botnet targeting the same vulnerable legacy edge devices within critical infrastructure is rapidly growing, and Security Scorecard’s STRIKE Team thinks it is Volt Typhoon emerging from the ashes.

‘End-of-life’ (EOL) devices, those for which manufacturer support has ended, are again the main targets for this growing network.

SOHO and EOL devices

This time, Volt Typhoon has adapted to more effectively obscure its traffic using a number of tactics. By using SOHO and EOL devices, Volt Typhoon can maintain persistence within legacy routers without fear of security updates that could potentially boot them from their infrastructure. The group has also been spotted using MIPS-based malware to hide its connections and communications through port forwarding via 8433.

Webshells are also being implanted into routers to maintain remote control, which also disguise malicious traffic inside the router’s standard network operations. Many of these devices have been detected on the Pacific island of New Caledonia, acting as a transfer point for traffic coming from Volt Typhoon in the Asia-Pacific region heading into the US, and vice versa.

The prime targets of Volt Typhoon’s activities are Cisco RV320/325 and Netgear ProSafe routers. Software maintenance releases and bug fixes for the Cisco RV320/325 ended in 2021, with STRIKE Team highlighting that Volt Typhoon compromised 30% of visible Cisco RV320/325 routers in just 37 days, with government and critical infrastructure being prime targets.

STRIKE Team recommends that government departments should address weaknesses such as the use of legacy devices within critical infrastructure to reduce the number of potential vulnerabilities and access points for cyber criminal organizations and state-sponsored groups.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

LEAVE A REPLY Cancel reply

EDITOR PICKS

POPULAR POSTS

QUICK LINKS

ABOUT US

FOLLOW US

Cookie bar