A sophisticated botnet identified as the KV-botnet is exploiting vulnerabilities in devices from well-known manufacturers—specifically Cisco, DrayTek, Fortinet, and NETGEAR—to create a covert data transfer network. This network is being utilized by advanced persistent threat (APT) actors, including the China-linked group known as Volt Typhoon.
According to Black Lotus Labs from Lumen Technologies, this botnet is a combination of two clusters of activity, referred to as KV and JDY, which have been operational since at least February 2022. The campaign targets devices at the network perimeter, an area that has become increasingly vulnerable due to the rise of remote work, allowing attackers to exploit weaknesses in enterprise defenses.
The two clusters complement each other, with telemetry data indicating the botnet is operated from IP addresses within China. The JDY cluster is characterized by broader scanning capabilities utilizing less advanced techniques, while the KV component primarily employs outdated hardware and software for manual operations targeting high-profile organizations.
There are indications that Volt Typhoon is among the users of the KV-botnet, which serves as part of its operational framework. Recent monitoring revealed a notable reduction in Volt Typhoon’s activities in June and early July 2023, aligning with public disclosures regarding its attempts to compromise critical U.S. infrastructure.
Microsoft initially shed light on the tactics employed by these threat actors, revealing that they attempt to blend into standard network traffic by routing through compromised small office and home office (SOHO) devices, including routers, firewalls, and VPN hardware. The precise mechanism of initial infection remains unclear, but subsequent malware stages work to eliminate security software to maintain their presence on the infected machines.
The malware is designed to extract its primary payload from a remote server, allowing it to communicate with the server while also performing actions like file uploads and command execution. Recent updates to the botnet infrastructure now include targeting Axis IP cameras, signaling a potential escalation in attack strategies.
The in-memory execution of this malware complicates detection, as it requires power cycling the device to completely eradicate the infection. While this may provide immediate relief, re-infection remains a frequent occurrence due to the botnet’s persistent nature.
This alarming development comes alongside reports from The Washington Post highlighting that Volt Typhoon has infiltrated multiple critical sectors across the U.S., including energy, water utilities, and communication systems. The hackers tend to obscure their tracks by routing attacks through seemingly innocuous devices, complicating detection and response efforts.
