Massive hacking of Cisco devices sets the stage for cyberwarfare.
According to a report by the STRIKE team at SecurityScorecard, hackers from the Volt Typhoon group, which is linked to the Chinese government, gained permanent access to Cisco RV320/325 routers, which were discontinued in 2019.
Attackers exploit two vulnerabilities in the web management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN routers, both of which were added to the CISA Known Exploited Vulnerabilities (KEV)catalog:
The vulnerabilities affect RV320 and RV325 devices with software versions 1.4.2.15–1.4.2.20. A full fix was received in firmware version 1.4.2.22, but not all administrators paid due attention to updating outdated devices.
According to STRIKE experts, hackers compromised about 30% of devices in 37 days. The team observed frequent connections between compromised devices and the Volt Typhoon infrastructure from December 1, 23 to January 7, 2024, suggesting a very active presence.
The researchers also found web shells on hacked routers installed by hackers to further control the systems. There are signs that Volt Typhoon is preparing a new infrastructure for attacks on the assets of the US, UK and Australian governments.
Researchers also point to the active preparation of Volt Typhoon for new attacks, including on targets in the United States and its allies. They found links between 325 of 1,116 potential targets and IP addresses previously identified as proxies used by Volt Typhoon.
Experts believe that the success of this campaign is due to the fact that attackers targeted outdated equipment, which is often not given due attention. Such attacks can become a popular trend in the cybercrime community.
According to a report by the STRIKE team at SecurityScorecard, hackers from the Volt Typhoon group, which is linked to the Chinese government, gained permanent access to Cisco RV320/325 routers, which were discontinued in 2019.
Attackers exploit two vulnerabilities in the web management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN routers, both of which were added to the CISA Known Exploited Vulnerabilities (KEV)catalog:
- CVE-2019-1653 (CVSS score: 7.5): Allows an unauthenticated remote attacker to obtain sensitive information. The error is related to incorrect URL access control. A cybercriminal can take advantage of the flaw by connecting to the affected device via HTTP/HTTPS and requesting specific URLs. Successful exploitation allows the attacker to download the router configuration or detailed diagnostic information.
- CVE-2019-1652 (CVSS score: 7.2): Allows an authenticated remote attacker with administrator rights on the affected device to execute arbitrary commands. The vulnerability is related to incorrect verification of user input data. A cybercriminal can take advantage of the vulnerability by sending malicious HTTP POST requests to the web management interface of the affected device. A successful exploit allows an attacker to execute arbitrary commands in the basic Linux shell as the root user.
The vulnerabilities affect RV320 and RV325 devices with software versions 1.4.2.15–1.4.2.20. A full fix was received in firmware version 1.4.2.22, but not all administrators paid due attention to updating outdated devices.
According to STRIKE experts, hackers compromised about 30% of devices in 37 days. The team observed frequent connections between compromised devices and the Volt Typhoon infrastructure from December 1, 23 to January 7, 2024, suggesting a very active presence.
The researchers also found web shells on hacked routers installed by hackers to further control the systems. There are signs that Volt Typhoon is preparing a new infrastructure for attacks on the assets of the US, UK and Australian governments.
Researchers also point to the active preparation of Volt Typhoon for new attacks, including on targets in the United States and its allies. They found links between 325 of 1,116 potential targets and IP addresses previously identified as proxies used by Volt Typhoon.
Experts believe that the success of this campaign is due to the fact that attackers targeted outdated equipment, which is often not given due attention. Such attacks can become a popular trend in the cybercrime community.
