Chinese Hackers Rebuild KV-Botnet: Cisco and Netgear Routers Under Attack
The Chinese hacker group Volt Typhoon has resurfaced, rebuilding its KV-Botnet, which was dismantled by U.S. law enforcement in January. According to SecurityScorecard, this group has been engaged in cyber-espionage for over five years, targeting critical infrastructure in the United States and other countries.
Volt Typhoon exploits vulnerable devices, such as Netgear ProSAFE routers, Cisco RV320, and Axis IP cameras. The cybercriminals install malware that enables stealthy access to targeted networks, allowing them to maintain persistent entry.
In January 2024, U.S. authorities managed to temporarily halt the group’s activities by clearing the malware from compromised devices. However, by August, signs emerged that the hackers had returned, leveraging a newly discovered vulnerability.
Recent data indicates that Volt Typhoon has resumed its operations, reconstituting the botnet by infecting outdated Cisco and Netgear routers. In just over a month, the hackers succeeded in compromising a substantial number of devices. They deploy MIPS-based malware and web shells operating on non-standard ports, complicating detection efforts.
Since September, the hackers have been actively compromising devices in Asia, establishing a new network of infected devices. SecurityScorecard has labeled this botnet the “JDYFJ Botnet,” based on a self-signed SSL certificate found on infected systems. The primary targets are Cisco RV320/325 routers and Netgear ProSafe devices.
Within 37 days, Volt Typhoon had infected nearly 30% of all internet-accessible Cisco RV320/325 devices. Experts are uncertain which specific vulnerabilities are being exploited but suspect the lack of updates for these legacy devices as a contributing factor.
The botnet’s C2 servers are registered on platforms like Digital Ocean, Quadranet, and Vultr, enabling the group to construct a more resilient network. Additionally, the hackers are utilizing a compromised VPN device in New Caledonia to discreetly route traffic between Asia and America.
Specialists suggest that the strategic choice of this device is due to its convenient geographic position, complicating efforts to trace the attackers. Although the Volt Typhoon botnet is currently less extensive than before, the hackers persist in advancing their attacks.
To mitigate such threats, experts recommend replacing outdated routers with newer models, placing them behind firewalls, disabling remote access settings, and changing default administrative passwords. For modern devices, it is crucial to regularly update firmware to address vulnerabilities.
