The threat actors behind the Botnet KV they made “behavioral modifications” to the malicious network as U.S. law enforcement began issuing commands to neutralize the activity.
KV-botnet is the name given to a network of compromised small office and home office (SOHO) routers and firewall devices around the world, with a specific cluster serving as a covert data transfer system for other Chinese state-sponsored actors, including Volt Typhoon (aka Bronze Silhouette, Insidious Taurus or Vanguard Panda).
Active since at least February 2022, it was first documented by Lumen Technologies’ Black Lotus Labs team in mid-December 2023. The botnet is known to comprise two major subgroups, viz. KV and JDY, the latter used primarily for scanning potential targets for reconnaissance.
Late last month, the US government announced a court-authorized jamming action to eliminate the KV cluster, which is typically reserved for manual operations against high-profile targets chosen after a broader scan via the JDY subgroup .
Now, according to the cybersecurity firm’s new findings, the JDY cluster remained silent for about a fortnight after public disclosure and as a byproduct of the US Federal Bureau of Investigation’s (FBI) initiative.
“In mid-December 2023, we observed this cluster of activity hovering around 1,500 active bots,” said security researcher Ryan English. “When we sampled the size of this cluster in mid-January 2024, its size shrank to approximately 650 bots.”
Given that the takedown actions began with a signed warrant issued on December 6, 2023, it is fair to assume that the FBI began broadcasting commands to routers located in the United States on or after that date to wipe the botnet payload and prevent that they be restored. -infected.
“We have observed operators of the KV botnet begin to restructure, engaging in eight consecutive hours of activity on December 8, 2023, nearly ten hours of operations the next day, December 9, 2023, followed by one hour on December 11, 2023, ” Lumen said in a technical report shared with The Hacker News.
During this four-day period, the threat actor was spotted interacting with 3,045 unique IP addresses associated with NETGEAR ProSAFE (2,158), Cisco RV 320/325 (310), Axis IP cameras (29), DrayTek Vigor routers ( 17) and other unidentified devices (531).
A massive spike in payload server exploitation attempts was also observed in early December 2023, indicating likely adversary attempts to exploit devices again when they detected their infrastructure was offline. Lumen said it also took steps to eliminate the null path from another set of backup servers that became operational around the same time.
It is worth noting that operators of the KV botnet are known to perform their own reconnaissance and targeting, even supporting multiple groups such as Volt Typhoon. Interestingly, the timestamps associated with robot exploitation correlate with working hours in China.
“Our telemetry indicates that there were administrative connections into known payload servers from IP addresses associated with China Telecom,” Danny Adamitis, principal cybersecurity engineer at Black Lotus Labs, told The Hacker News.
Additionally, the US Department of Justice statement describes the botnet as controlled by “state-sponsored hackers from the People’s Republic of China (PRC).”
This raises the possibility that the botnet “was created by an organization that supports the Volt Typhoon hackers; whereas if the botnet was created by the Volt Typhoon, we suspect they would have said ‘nation-state’ actors,” Adamitis added.
There are also signs that threat actors created a third, related but distinct botnet cluster called x.sh as early as January 2023, composed of infected Cisco routers deploying a web shell called “fys.sh,” as highlighted by SecurityScorecard’s latest time. month.
But since the KV botnet is just “a form of infrastructure used by Volt Typhoon to obfuscate its activity,” the recent spate of action is expected to push state-sponsored actors to presumably move to another covert network to satisfy their strategic needs. goals.
“A significant percentage of all networking equipment in use around the world is working fine, but is no longer supported,” English said. “End users are faced with a difficult financial choice when a device reaches that point, and many aren’t even aware that a router or firewall is at the end of its supported life.
“Advanced threat actors are well aware that this represents fertile ground for exploitation. Replacing unsupported devices is always the best choice, but not always feasible.”
“Mitigation involves defenders adding their edge devices to the long list of those that already need to apply patches and updates as frequently as available, rebooting devices and configuring EDR or SASE solutions where applicable, and keeping an eye on large data transfers off the network. Geofencing is not a defense you can rely on when the threat actor can jump from somewhere nearby.”