US federal government authorities have taken measures to dismantle a botnet consisting of thousands of compromised small office/home office (SOHO) network equipment, including routers, firewalls, and VPN hardware.
According to an FBI affidavit, the KV-botnet was used by the China-linked threat actor Volt Typhoon to obscure its origin by transmitting encrypted traffic between the infected SOHO routers, anonymizing their activities by blending their malicious traffic with benign internet traffic.
The FBI neutralized the botnet by remotely issuing commands to target affected devices in the US. They used the malware's communication protocols to delete the KV-botnet payload and prevent it from being re-infected.
The botnet consisted of Netgear, DrayTek, Fortinet, and end-of-life Cisco devices for which updated security patches are no longer developed, making them a perfect target for a botnet.
The FBI believes denying Volt Typhoon the use of its botnet will significantly impact the group’s ability to hide pre-operational reconnaissance and network exploitation against critical infrastructure like our communications, energy, transportation, and water sectors.
This takedown operation reflects how seriously the US takes Chinese efforts to identify and prepare to destroy or degrade the civilian critical infrastructure in the event of heightened tensions or open warfare between the two nations.
Not only does the takedown deny Volt Typhoon a valuable tool to obfuscate its activities, but it also serves as a warning to China that the US is aware of its activities and won’t hesitate to take necessary actions to mitigate the threat they pose.
Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in software, appliances and operating systems. This research contributes to the timely deployment of signatures into Covalence to detect and mitigate the exploitation of these vulnerabilities.
Covalence users are automatically notified when vulnerable software is detected in their environment and are encouraged to review these AROs as quickly as possible via the Covalence portal.
Field Effect strongly encourages users to enable automatic updates for SOHO devices to ensure they have the latest security patches to the fullest extent possible. Additionally, users are reminded to make sure these devices are configured properly (e.g., restricting external access to management interfaces, and disabling unnecessary services) and maintain strong password hygiene.