Teacher
Professional
- Messages
- 2,669
- Reaction score
- 819
- Points
- 113
What is the risk of reorganizing KV-Botnet for American organizations?
Cybersecurity specialists from Lumen note "behavioral changes" in the activities of the Chinese malicious KV-botnet network after US law enforcement agencies began to take measures to neutralize it.
KV-botnet is a network of infected routers and firewall devices for small office and home use (SOHO) around the world, part of which is used by Chinese state hackers for covert data transmission.
This malicious network has been active since February 2022 and was first detected by the Black Lotus Labs team in December 2023. The network consists of two main subgroups — KV and JDY, with the latter mainly used for scanning potential targets.
At the end of last month, the US government announced a large-scale operation to eliminate the KV cluster. After that, as a result of the actions of the FBI, the JDY cluster also stopped activity for about two weeks.
The number of active bots on this network decreased from 1,500 in mid-December last year to approximately 650 in mid-January this year. This is attributed to the beginning of the forced removal of malware from routers in the United States, which began after the issuance of the relevant order on December 6, 2023.
At the same time, KV-botnet operators began to actively rebuild their network, devoting a total of about 20 hours to this process. During these actions, interactions with 3045 unique IP addresses associated with devices from different manufacturers were observed.
In addition, a sharp jump in attempts to exploit vulnerabilities was recorded, thanks to which attackers gained control of devices last time. This indicates the desire of attackers to re-infect devices that have "fallen off" from their malicious network.
Interestingly, all KV-botnet operations took place strictly according to business hours in China, and some IP addresses used to manage malware, when checked, "fight" with China Telecom. However, for American experts, this information is not new, and they have long associated KV-botnet with the activities of Chinese hackers Volt Typhoon, supported by the Chinese Communist Party.
Experts suggest that the Volt Typhoon hackers will now switch to using a different, more secretive network to achieve their strategic goals. Especially considering that KV-botnet is just one of the tools in their arsenal.
Experts emphasize that a very large percentage of network equipment used everywhere in American organizations, although they work properly, but have not been supported by manufacturers for a long time, which creates favorable conditions for their exploitation by intruders.
The most effective security measure in this case is the complete replacement of outdated devices with expired support, although this may be very difficult from a financial point of view. Otherwise, vulnerable devices need to disable access from the Internet, and if this is not possible, then regularly restart them, since malware for routers usually cannot be registered in startup.
In addition, the use of EDR solutions and SASE systems in an organization, coupled with monitoring the volume of transmitted traffic, should further strengthen protection and avoid undesirable consequences due to the actions of intruders.
Cybersecurity specialists from Lumen note "behavioral changes" in the activities of the Chinese malicious KV-botnet network after US law enforcement agencies began to take measures to neutralize it.
KV-botnet is a network of infected routers and firewall devices for small office and home use (SOHO) around the world, part of which is used by Chinese state hackers for covert data transmission.
This malicious network has been active since February 2022 and was first detected by the Black Lotus Labs team in December 2023. The network consists of two main subgroups — KV and JDY, with the latter mainly used for scanning potential targets.
At the end of last month, the US government announced a large-scale operation to eliminate the KV cluster. After that, as a result of the actions of the FBI, the JDY cluster also stopped activity for about two weeks.
The number of active bots on this network decreased from 1,500 in mid-December last year to approximately 650 in mid-January this year. This is attributed to the beginning of the forced removal of malware from routers in the United States, which began after the issuance of the relevant order on December 6, 2023.
At the same time, KV-botnet operators began to actively rebuild their network, devoting a total of about 20 hours to this process. During these actions, interactions with 3045 unique IP addresses associated with devices from different manufacturers were observed.
In addition, a sharp jump in attempts to exploit vulnerabilities was recorded, thanks to which attackers gained control of devices last time. This indicates the desire of attackers to re-infect devices that have "fallen off" from their malicious network.
Interestingly, all KV-botnet operations took place strictly according to business hours in China, and some IP addresses used to manage malware, when checked, "fight" with China Telecom. However, for American experts, this information is not new, and they have long associated KV-botnet with the activities of Chinese hackers Volt Typhoon, supported by the Chinese Communist Party.
Experts suggest that the Volt Typhoon hackers will now switch to using a different, more secretive network to achieve their strategic goals. Especially considering that KV-botnet is just one of the tools in their arsenal.
Experts emphasize that a very large percentage of network equipment used everywhere in American organizations, although they work properly, but have not been supported by manufacturers for a long time, which creates favorable conditions for their exploitation by intruders.
The most effective security measure in this case is the complete replacement of outdated devices with expired support, although this may be very difficult from a financial point of view. Otherwise, vulnerable devices need to disable access from the Internet, and if this is not possible, then regularly restart them, since malware for routers usually cannot be registered in startup.
In addition, the use of EDR solutions and SASE systems in an organization, coupled with monitoring the volume of transmitted traffic, should further strengthen protection and avoid undesirable consequences due to the actions of intruders.
