The threat actors that created the KV botnet made "behavioral changes" to the harmful network. This is due to the fact that US law enforcement began issuing directives to neutralize the activity.
KV-botnet refers to a global network of hacked small office and home office (SOHO) routers and firewalls. In the meantime, one cluster serves as a clandestine data transmission infrastructure for other Chinese state-sponsored entities. These actors involve—
- Volt Typhoon
- Bronze Silhouette
- Insidious Taurus
- Vanguard Panda
KV-botnet has been active since February 2022. In mid-December 2023, the Black Lotus Labs team at Lumen Technologies documented it for the first time. The botnet is made up of two major subgroups. They are as follows:
- viz. KV
- JDY
Last month, the US government unveiled a court-approved disruption campaign. It was focused on bringing down the KV cluster. Typically, the cluster was used for manual operations against high-profile targets. Following the larger scanning, the JDY sub-group picked all of them.
According to the cybersecurity firm's latest findings, the JDY cluster became silent for around fifteen days following public revelation and the FBI investigation.
Ryan English, a security researcher, stated, "In mid-December 2023, we discovered this activity cluster of roughly 1,500 active bots. When we tested the size of this cluster in mid-January 2024, it had shrunk to around 650 bots.
The takedown actions began with a signed warrant. The warrant was issued on December 6, 2023. So it's reasonable to infer that the FBI began broadcasting directives to routers in the United States. After that date, the botnet payload is removed, preventing infection from occurring again.
Lumen stated in a technical study provided with The Hacker News that "we observed the KV-botnet operators begin to restructure, committing eight straight hours of activity on December 8, 2023, nearly ten hours of operations the following day on December 9, 2023, followed by one hour on December 11, 2023."
Over four days, the threat actor was seen engaging with over 3000 distinct IP addresses. These IP addresses were related to—
- NETGEAR ProSAFEs (2,158)
- Cisco RV320/325 (310)
- Axis IP cameras (29)
- DrayTek Vigor routers (17)
- Other unidentified devices (531)
In early December 2023, the payload server saw an increase in overall exploitation attempts. It suggests that the adversary will most likely seek to re-exploit the devices. They pledged to take their infrastructure offline. According to Lumen, "it also took steps to null-route another set of backup servers that became operational around the same time."
The operators of the KV-botnet are well-known because-
- Performing their reconnaissance
- Targeting
- Supporting multiple groups like Volt Typhoon.
Interestingly, the timestamps connected with bot exploitation correspond to Chinese business hours.
Danny Adamitis, chief information security engineer at Black Lotus Labs, told The Hacker News: "Our telemetry indicates that there were administrative connections into the known payload servers from IP addresses associated with China Telecom."
Furthermore, according to a news release from the US Justice Department, "the botnet is managed by "People's Republic of China (PRC) state-sponsored hackers."
Adamitis went on to say, "This raises the possibility that the botnet was created by an organization supporting the Volt Typhoon hackers; whereas if the botnet was created by Volt Typhoon, we suspect they would have said 'nation-state' actors."
Aside from that, you may locate certain signals relating to threat actors. In January 2023, they built a third botnet cluster, x.sh, which is linked yet unique. It was made up of compromised Cisco routers and used a web shell called "fys.sh." Last month, SecurityScorecard highlighted each of these crucial points.
Volt Typhoon employed just one type of infrastructure to conceal its operation. It is also predicted that the new wave of activities will alert advanced persistent threat (APT) actors. The primary goal is probably to migrate to another clandestine network while also achieving their strategic objectives.
English stated, "A considerable portion of all networking equipment in use throughout the world is completely functional but no longer maintained. When a device hits that threshold, end customers face a tough financial decision, and many are unaware that their router or firewall is no longer supported."
Advanced threat actors understand that this is ripe terrain for exploitation. According to them, "Replacing unsupported devices is always the best choice, but it is not always feasible."
Mitigation is all about defenders adding their edge devices to the lengthy list of vulnerability fixes. Additionally, it is concerned with-
- Updating devices when they are available
- Rebooting devices
- Configuration of EDR or SASE solutions where applicable
- Keeping an eye on large data transfers out of the network
So, geofencing is not a viable protection when a dangerous actor can jump from a neighboring site.