A New KV-Botnet Is Using Stealthy Attacks to Target Cisco, DrayTek, and Fortinet Devices
Since at least 2022, a highly capable botnet known as the “KV-botnet” has been associated with the Chinese state-sponsored APT hacking group known as Volt Typhoon (Bronze Silhouette), which attacks SOHO routers in high-value targets.
Background:
Volt Typhoon frequently uses routers, firewalls, and VPN equipment as proxies for malicious traffic, blending it in with acceptable traffic to avoid detection.
SOHO devices utilize end-of-life items, which make up the KV-Botnet. Several Cisco RV320s, DrayTek Vigor routers, and NETGEAR ProSAFEs that were a part of the botnet were discovered by the researchers in early July and August of 2022. Later, in November 2022, ProSAFE devices made up the majority of the botnet’s devices, with a minor proportion being DrayTek routers. The botnet began to target Axis IP cameras, including the M1045-LW, M1065-LW, and p1367-E, in November 2023, the analysts discovered.
KV Botnet:
KV-Botnet works by infecting a huge number of machines, resulting in a dispersed network that can be managed remotely. This network of hacked devices, known as a botnet, enables the malicious actor to carry out a wide range of cyber-attacks, including distributed denial-of-service (DDoS) attacks, malware distribution, and phishing operations.
The ability of the KV-Botnet to adapt and evolve is one of its distinguishing characteristics. It leverages advanced evasion strategies to prevent detection by typical security measures, making it a tough foe for cybersecurity professionals. To lure users into downloading harmful files, the botnet frequently exploits flaws in obsolete software or employs social engineering tactics.
The botnet, which is administered from IP addresses in China, may be divided into two groups: the “KY” cluster, which involves manual attacks against high-value targets, and the “JDY” cluster, which involves broader targeting and less advanced approaches.
So far, the majority of KV-Botnet infections appear to fall under the latter category. Having said that, the botnet has brushed up against a number of previously unknown high-profile institutions, including a judicial institution, a satellite network provider, and military agencies from the United States, as well as a European renewable energy company.
Fig: Two separate clusters of activity linked to KV-botnet (Source: Lumen)
The exact first infection mechanism process used to penetrate the devices is unknown at this time. The first-stage malware immediately removes security programs and other malware strains to ensure that it occupies the “only presence” on these desktop machines.
It’s also designed to retrieve the main payload from a remote server, which is capable of uploading and downloading data, running commands, and executing additional modules in addition to beaconing back to the same server.
Risks and Impact:
Individuals and organizations alike are at risk from the KV-Botnet. Its ability to perform large-scale DDoS attacks can bring websites and online services to a halt, resulting in downtime and financial losses. Furthermore, the botnet’s involvement in malware distribution can lead to data breaches, identity theft, and other forms of crimes.
Another source of worry is the usage of KV-Botnet for phishing activities. The botnet can support a variety of fraudulent operations by tricking users into disclosing critical information such as login passwords or financial details, thus compromising the security of individuals and enterprises.
Mitigation:
Individuals and organizations must take proactive cybersecurity measures to guard against the KV-Botnet and other similar attacks. Below are important considerations to safeguard their networks against potential compromises from threats like Volt Typhoon and others that might exploit sophisticated obfuscation networks such as KV-botnet.
- Monitor for substantial data transfers exiting the network, even if the destination IP address is situated in the same geographical area.
- Evaluate the adoption of comprehensive Secure Access Service Edge (SASE) or similar solutions to enhance their security posture and facilitate robust detection of network-based communications.
- Adhere to best practices, including regular router reboots and the installation of security updates and patches. Employ properly configured and updated Endpoint Detection and Response (EDR) solutions on hosts, and consistently update software in line with vendor patches where applicable.
- Educate users about the dangers of phishing and proactively report suspicious emails
Lastly, collaboration among cybersecurity professionals and the sharing of threat knowledge can be critical in identifying and disarming the KV-Botnet. Our combined efforts to stay ahead of cybercriminals must grow in tandem with the threat landscape.
IOCs:
207.246.100[.]151
66.42.124[.]155
104.156.246[.]150
192.169.6[.]241
149.28.119[.]73
45.32.88[.]250
144.202.43[.]124
108.61.203[.]19
140.82.20[.]246
159.203.72[.]166
140.82.20[.]246
108.61.132[.]157
144.202.49[.]189
174.138.56[.]21
159.203.113[.]25
216.128.179[.]235
216.128.180[.]232
155.138.146[.]162
45.156.21[.]172
45.11.92[.]176
193.36.119[.]48
7043ffd9ce3fe48c9fb948ae958a2e9966d29afe380d6b61d5efb826b70334f5
690638c702170dba9e43b0096944c4e7540b827218afbfaebc902143cda4f2a7
48299c2c568ce5f0d4f801b4aee0a6109b68613d2948ce4948334bbd7adc49eb
0279435f8727cca99bee575d157187787174d39f6872c2067de23afc681fe586
2cb6df289475457e807fc202a2b4688b2e23a88c94a8431981780caf8b76acf7
b4f2470159ca93f9d585ae2df1da972f6d14a0c418ebc202a324b9be5c877b61
d6cd1636569bba4131462bb8f45be1daa9a203aa343b6f2fd48a4847acfc29fa
3fab16ec4643d8f6b9a99d85427322f7fb40e9ea3cd4de8318c6a52e29869d5a
86f01d5342ec39c65b1cff716f19c334cec26a82b87492d783d5e8f4ff9cb63a
19aa5a2235ee2518826a48363cb603060ee73ddccdf7d93bf197f97d7402aa37
c524e118b1e263fccac6e94365b3a0b148a53ea96df21c8377ccd8ec3d6a0874
2711f1341d2f150a0c3e2d596939805d66ba7c6403346513d1fc826324f63c87
5928f67db54220510f6863c0edc0343fdb68f7c7070496a3f49f99b3b545daf9
8e35d8643c00d9e2993625b03366a7cd1bd36e6a60bc0c6039a509fccf9df150
07118af421f14a7e07601639f44a72f6782757ae74d2afffdb531b8209697e7f
dc7b6b4f53581b53edfbbc83d825cfa0450b2039f126cd62e8529189bb156033
c2299d8581af4ea8048bbf2bffd45c6ddca323c9c718c172355cc0df006ea6ca
88fc3816c94f9b0191179f4e933843ee4cfdbcb392968605491a387b1235ec12
6a8230e66011e0a0012273f7d12110c23b1e33bd7232dc67a836662a3d1075c7
08d0da0c36089f7a1f700b989f2f7825c5ba2549a20735d0bd1e64ca9c4885bc
e88b03465c0376463f912a5601a518cc697330dc3e5857068f3de0c434b52c9a
c0871ecfe8b306074c6d376db14d966578a8511e5b5d355a4cf2c4d0b8c9deb9
b845ef0f9c5853ad1c226ac0ae7bb91159d5bb132185c1bfd171696b755a9164
5a2681ea2e1d0d5e7db2a2499d2e6e27b2689830c638d5ee28c2eef9867ececf
5512cce87ff9dfd3ee9721eb29302d1700199ed7d625e09f9f779772ec06bdb0
f5271fcb895977dc1eead64415e525323cd412e3f2625aee2fafbb5674beea28
d90e4a1b3a6bf019474b3be1703bf3211f1ebcca00b21bc252a39af274dc4fb0
9e6a2a01decc2c26f3586a119b6fd3a886c4cf9c76aa452339d164fda40c63e4
bf0ed245e897c7d1ada511db2939e8f3a879a96543f2651d5631339d5419bb75
c71d04e2b6b35fdd058b4be5cf9ea3478697950378d4ee3c7fe0bf87e1e3730f
36c63d0c2a78497ccf555e84f0233a514943faeff38281d99d00baf5df23f184
b6226c3e0e4ad64bbda3e6a79eb464c7050faa25d1f5332dcac014d2e79dd87f
References:
https://blog.lumen.com/routers-roasting-on-an-open-firewall-the-kv-botnet-investigation/
https://github.com/blacklotuslabs/IOCs/blob/main/KVbotnet_IOCs.txt