{"id":836,"date":"2024-11-13T10:58:35","date_gmt":"2024-11-13T10:58:35","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=836"},"modified":"2024-11-13T10:58:35","modified_gmt":"2024-11-13T10:58:35","slug":"volt-typhoon-returns-with-fresh-botnet-attacks-on-critical-us-infrastructure","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=836","title":{"rendered":"Volt Typhoon returns with fresh botnet attacks on critical US infrastructure"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Volt Typhoon, a China-linked cyber-espionage group, has renewed its assault on US infrastructure through an advanced botnet operation, exploiting outdated Cisco and Netgear routers to breach critical networks.<\/p>\n<p>Volt Typhoon\u2019s tactics mark a sophisticated escalation, as its hackers leverage end-of-life routers that no longer receive security updates, according to SecurityScorecard\u2019s <a href=\"https:\/\/securityscorecard.com\/blog\/botnet-is-back-ssc-strike-team-uncovers-a-renewed-cyber-threat\/\">recent report<\/a>.<\/p>\n<p>This renewed activity comes nearly ten months after <a href=\"https:\/\/www.csoonline.com\/article\/1303097\/us-security-agencies-terminate-china-backed-hacking-attempt.html\">US authorities dismantled<\/a> parts of the group\u2019s botnet, which had initially targeted US energy, water, and telecommunications networks.<\/p>\n<p>The DOJ then claimed that the authorities had \u201cremoved the malware from US-based victim routers and taken steps to prevent reinfection.\u201d<\/p>\n<p>\u201cThe Justice Department has disrupted a PRC-backed hacking group that attempted to target America\u2019s critical infrastructure utilizing a botnet,\u201d Attorney General Merrick B. Garland had said referring to Volt Typhoon.<\/p>\n<p>However, the Volt Typhoon has returned with new vigor, as per the researchers at SecurityScorecard.<\/p>\n<p>\u201cOnce thought dismantled, Volt Typhoon has returned, more sophisticated and determined than ever,\u201d Ryan Sherstobitoff, SVP of threat research at SecurityScorecard said in the report.<\/p>\n<p>Sherstobitoff\u2019s team has identified Volt Typhoon exploiting Cisco RV320\/325 routers and Netgear ProSafe devices, often overlooked due to their legacy status.<\/p>\n<p>\u201cThese end-of-life devices become perfect entry points,\u201d he noted, explaining that within 37 days, the attackers compromised around 30% of visible Cisco RV320\/325 routers.<\/p>\n<h2 class=\"wp-block-heading\">The modus operandi<\/h2>\n<p>Volt Typhoon\u2019s strategy is defined by its resilience and adaptability. Instead of retreating when detected, the group intensifies its foothold, exploiting long-overlooked vulnerabilities in legacy Cisco RV320\/325 and Netgear ProSafe routers.<\/p>\n<p>The PRC-backed hackers\u2019 botnet infrastructure is built to avoid detection. They use servers across Europe and Asia-Pacific to mask their command-and-control (C2) operations. The group\u2019s strategy includes hiding traffic through network providers in countries such as the Netherlands, Latvia, and Germany, the report said.<\/p>\n<p>\u201cEvery layer of Volt Typhoon\u2019s infrastructure is designed to blend malicious activities into everyday operations, making them difficult to detect and even harder to remove \u2014 especially in sectors like governments and critical infrastructure that still depend on outdated technology,\u201d the report added.<\/p>\n<p>The research firm\u2019s STRIKE team revealed that Volt Typhoon\u2019s botnet spans global networks, using the JDYFJ SSL certificate cluster for encrypted, untraceable communication.<\/p>\n<p>Masking their traffic through C2 servers in Europe, the botnet evades detection with encryption tactics that effectively mimic regular network operations. The group\u2019s malicious infrastructure incorporates a VPN device in New Caledonia, forming a \u201cbridge\u201d between Asia-Pacific and the Americas, allowing their network to quietly thrive, the report added.<\/p>\n<h2 class=\"wp-block-heading\">The unrelenting Volt Typhoon<\/h2>\n<p>SecurityScorecard\u2019s findings follow a string of recent revelations highlighting the broader uptick in Chinese cyber-espionage activities.<\/p>\n<p>Last week, Volt Typhoon had <a href=\"https:\/\/www.reuters.com\/technology\/cybersecurity\/china-state-linked-group-accused-hacking-singtel-bloomberg-news-reports-2024-11-05\/\">reportedly<\/a> breached Singapore Telecommunications as a prelude to further intrusions targeting US telecoms. Additionally, in August, Lumen Technologies reported that Volt Typhoon used a <a href=\"https:\/\/www.csoonline.com\/article\/3497078\/chinas-volt-typhoon-exploits-versa-zero-day-to-hack-us-isps-and-it-firms.html\">Versa SD-WAN vulnerability<\/a> (CVE-2024-39717) to plant credential-stealing web shells in compromised networks.<\/p>\n<p>In February, US cybersecurity officials, along with their allies in Australia, Canada, the UK, and New Zealand, <a href=\"https:\/\/www.csoonline.com\/article\/1306501\/china-backed-volt-typhoon-preparing-wave-of-attacks.html\">issued a joint warning<\/a> regarding Volt Typhoon. They expressed concerns that the group may intensify cyberattacks on critical infrastructure in the event of heightened tensions between Beijing and Washington. The warning emphasizes the group\u2019s capability and readiness to disrupt vital systems, with potential implications for national security and global cybersecurity stability.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Volt Typhoon, a China-linked cyber-espionage group, has renewed its assault on US infrastructure through an advanced botnet operation, exploiting outdated Cisco and Netgear routers to breach critical networks. Volt Typhoon\u2019s tactics mark a sophisticated escalation, as its hackers leverage end-of-life routers that no longer receive security updates, according to SecurityScorecard\u2019s recent report. This renewed activity [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":837,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-836","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/836"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=836"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/836\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/837"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=836"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=836"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=836"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}