close
close

China-linked attack targets 260,000 devices, FBI confirms

Posted on by darion

A new joint cybersecurity alert issued by the Federal Bureau of Investigation, the Cyber ​​​​National Mission Force, and the National Security Agency reveals new activity by the cybercriminal Flax Typhoon.

Cybercriminals took control of more than 260,000 small home office and office (SOHO) routers, firewalls, network-attached storage devices, and Internet of Things devices, creating a botnet capable of conducting Distributed Denial of Service attacks or targeted attacks on U.S. networks.

Who is Flax Typhoon?

Flax Typhoon, also known as RedJuliett and Ethereal Panda, is a China-based threat actor that has been active since at least mid-2021, according to Microsoft. The tech giant said Flax Typhoon targeted Taiwan-based organizations as well as other victims in Southeast Asia, North America, and Africa for cyberespionage purposes.

According to a joint FBI report, the group is behind the Chinese company Integrity Tech, which has ties to the Chinese government.

Flax Typhoon used several different IP addresses from Chinese vendor China Unicom Beijing Province to control and manage the botnet. The group also used these addresses to access other operational infrastructures used in computer intrusion operations targeting U.S. entities.

Further reports show that in recent years, cybercriminals operating from China have attacked businesses and governments around the world.

SEE: Why your company needs cybersecurity awareness training (TechRepublic Premium)

“Raptor Train” botnet

Black Lotus Labs, a threat intelligence team at cybersecurity firm Lumen, published a report on the Flax Typhoon breach of SOHO routers and other devices. They named the resulting botnet “Raptor Train” and tracked it for four years.

The devices affected by the attack were infected with a variant of the Mirai malware family, making them the weapon of choice for cybercriminals looking to hack IoT devices as they can easily modify the software code to suit their needs.

In the variant observed by the FBI, the malware automates the compromise of various devices by exploiting known vulnerabilities. The oldest exploited vulnerabilities date back to 2015, while the most recent occurred in July 2024. Once compromised, the device sends system and network information to a C2 server controlled by the attacker.

As of September 2024, more than 80 subdomains of the w8510.com domain were associated with the botnet.

Nearly half of the affected devices are located in the US

As of June 2024, management servers running front-end software called “Sparrow,” which allows attackers to control infected devices, contained more than 1.2 million records. This includes more than 385,000 unique devices in the U.S.

A count of infected devices conducted in June 2024 showed that almost half (47.9%) of them were located in the United States, Vietnam (8%) and Germany (7.2%).

Chart showing the number of infected devices by country in June 2024.
Number of infected devices by country in June 2024. Photo: IC3.gov

More than 50 Linux systems were affected, ranging from unsupported, outdated versions to currently supported versions running Linux kernel versions 2.6 to 5.4.

The Sparrow interface allowed the attacker to not only create a list of infected devices, but also manage and exploit vulnerabilities, upload and download files, execute remote commands, and customize IoT-based DDoS attacks at scale.

The devices infected by the botnet include multiple brands, including ASUS, TP-LINK, or Zyxel routers. IP cameras such as D-LINK DCS, Hikvision, Mobotix, NUUO, AXIS, and Panasonic were also attacked. NAS from QNAP, Synology, Fujitsu, and Zyxel were also targeted.

FBI Director Christopher Wray announced in his opening speech at the 2024 Aspen Cyber ​​​​Summit that the court has allowed the FBI to issue orders to remove the malware from infected devices.

How businesses can protect themselves from the flax typhoon

The FBI recommends that you take the following actions immediately:

  • Disable unused services and ports on routers and IoT devices. Services like Universal Plug And Play or file sharing services can be abused by attackers, so all services should be disabled if they are not needed.
  • Network segmentation should be implemented to ensure that IoT devices do not pose a greater risk of compromise. The principle of least privilege should be applied to ensure that devices can only perform their intended functions.
  • Monitor large volumes of network traffic. Organizations should prepare for abnormal traffic volumes that could be DDoS attacks.
  • Deploy patches and updates for all operating systems, software, and firmware. Regular patching reduces the risk of exploiting vulnerabilities.
  • Replace default device passwords with stronger ones so that an attacker can’t simply log in using default credentials.

The federal agency also suggested that companies plan to restart devices — to remove fileless malware that can run in memory — and replace worn-out hardware with one that supports the technology.

Disclosure: I work at Trend Micro but the views expressed in this article are my own.