- Volt Typhoon is quickly rebuilding its botnet from older routers
- Traffic is obfuscated by web shells and MIPS-based malware
- Critical infrastructure needs to be upgraded away from EOL devices
US allies and authorities recently dismantled parts of a network of older small office and home office (SOHO) routers infected with the KV Botnet malware, used by the infamous Volt Typhoon group to attack US critical infrastructure.
However, a massive new botnet is rapidly growing that targets the same vulnerable legacy edge devices within critical infrastructure, and the Security Scorecard STRIKE team thinks it’s Volt Typhoon rising from the ashes.
“End-of-life” (EOL) devices, devices for which manufacturer support has ended, are once again the main target for this growing network.
SOHO and EOL devices
This time, Volt Typhoon has adapted to hide its traffic more effectively using a number of tactics. By using SOHO and EOL devices, Volt Typhoon can maintain persistence within older routers without fear of security updates that could potentially boot them from their infrastructure. The group has also been spotted using MIPS-based malware to hide its connections and communications via port forwarding via 8433.
Web shells are also implanted in routers to maintain remote control, which also hides malicious traffic within the router’s standard network operations. Many of these devices have been detected on the Pacific island of New Caledonia, acting as a transfer point for traffic originating from Volt Typhoon in the Asia-Pacific region towards the US, and vice versa.
The main targets of Volt Typhoon’s activities are Cisco RV320/325 and Netgear ProSafe routers. Software maintenance releases and bug fixes for the Cisco RV320/325 ended in 2021, with the STRIKE team highlighting that Volt Typhoon compromised 30% of visible Cisco RV320/325 routers in just 37 days, with government and critical infrastructure were the main targets.
The STRIKE team recommends that government agencies should address weaknesses, such as the use of legacy devices within critical infrastructure, to reduce the number of potential vulnerabilities and entry points for cybercriminal organizations and state-sponsored groups.