Man
Professional
- Messages
- 3,222
- Reaction score
- 807
- Points
- 113
Another round of confrontation between the United States and the Volt Typhoon group has begun.
The Chinese hacker group Volt Typhoon has stepped up again and has begun to recover its KV-Botnet botnet, which was destroyed in January by US law enforcement. According to SecurityScorecard, the group has been engaged in cyberespionage for 5 years and attacks important targets in the United States and other countries.
The Volt Typhoon hackers use vulnerable devices such as routers and network cameras, such as Netgear ProSAFE, Cisco RV320, and Axis IP cameras. Cybercriminals install malware that helps them connect to targeted networks covertly and maintain access.
In January 2024, the US authorities were able to temporarily stop the group's activities by cleaning infected devices from malware. But already in August, there were signs that hackers had returned, exploiting a new vulnerability.
According to the latest reports, Volt Typhoon has taken up work again and started repairing the botnet using outdated Cisco and Netgear routers. In just over a month, hackers managed to infect a significant number of devices. They use MIPS-based malware and web shells that run on non-standard ports, making detection more difficult.
Since September, hackers have been actively hacking into devices in Asia and creating a new network of infected devices. SecurityScorecard gave the botnet another name, "JDYFJ Botnet", after a self-signed SSL certificate that was found on the infected devices. The main target is the Cisco RV320/325 and Netgear ProSafe devices.
In 37 days, Volt Typhoon was able to infect almost 30% of all Cisco RV320/325 devices available on the Internet. Experts cannot yet say for sure which vulnerabilities are being exploited, but suggest that the problem is that there are no more updates for outdated devices.
Volt Typhoon Infestations
The botnet's C2 servers register on the Digital Ocean, Quadranet, and Vultr platforms, which helps the group build a more resilient network. Hackers also use a hacked VPN device on the island of New Caledonia to covertly redirect traffic between the regions of Asia and America.
Experts believe that the choice of such a device is due to its convenient geographical location, which makes it difficult for hackers to track. Despite the fact that the Volt Typhoon botnet is now smaller than before, hackers continue to develop their attacks.
To protect against such threats, experts recommend replacing old routers with new models, installing them behind firewalls, closing remote access to settings, and changing standard administrator passwords. If modern devices are used, it is important to update the firmware regularly to eliminate vulnerabilities.
Source
The Chinese hacker group Volt Typhoon has stepped up again and has begun to recover its KV-Botnet botnet, which was destroyed in January by US law enforcement. According to SecurityScorecard, the group has been engaged in cyberespionage for 5 years and attacks important targets in the United States and other countries.
The Volt Typhoon hackers use vulnerable devices such as routers and network cameras, such as Netgear ProSAFE, Cisco RV320, and Axis IP cameras. Cybercriminals install malware that helps them connect to targeted networks covertly and maintain access.
In January 2024, the US authorities were able to temporarily stop the group's activities by cleaning infected devices from malware. But already in August, there were signs that hackers had returned, exploiting a new vulnerability.
According to the latest reports, Volt Typhoon has taken up work again and started repairing the botnet using outdated Cisco and Netgear routers. In just over a month, hackers managed to infect a significant number of devices. They use MIPS-based malware and web shells that run on non-standard ports, making detection more difficult.
Since September, hackers have been actively hacking into devices in Asia and creating a new network of infected devices. SecurityScorecard gave the botnet another name, "JDYFJ Botnet", after a self-signed SSL certificate that was found on the infected devices. The main target is the Cisco RV320/325 and Netgear ProSafe devices.
In 37 days, Volt Typhoon was able to infect almost 30% of all Cisco RV320/325 devices available on the Internet. Experts cannot yet say for sure which vulnerabilities are being exploited, but suggest that the problem is that there are no more updates for outdated devices.
Volt Typhoon Infestations
The botnet's C2 servers register on the Digital Ocean, Quadranet, and Vultr platforms, which helps the group build a more resilient network. Hackers also use a hacked VPN device on the island of New Caledonia to covertly redirect traffic between the regions of Asia and America.
Experts believe that the choice of such a device is due to its convenient geographical location, which makes it difficult for hackers to track. Despite the fact that the Volt Typhoon botnet is now smaller than before, hackers continue to develop their attacks.
To protect against such threats, experts recommend replacing old routers with new models, installing them behind firewalls, closing remote access to settings, and changing standard administrator passwords. If modern devices are used, it is important to update the firmware regularly to eliminate vulnerabilities.
Source
