‘Volt Typhoon’ Could Be Preparing for Renewed Burst of Activity
A Chinese state hacking group is attacking superseded Cisco routers to target government entities in the United States, the United Kingdom and Australia.
See Also: Live Webinar | Integrating Splunk and Panther for Real-Time Alerting and Custom Dashboarding
Beijing cyberespionage hackers dubbed “Volt Typhoon” are using vulnerabilities that were first disclosed in early 2019 to construct a botnet composed of Cisco RV320 and RV325 small office and home office routers, says a report from SecurityScorecard. The cybersecurity firm said that over a 37-day period, it observed Volt Typhoon, also known as Bronze Silhouette, compromise nearly one-third of the vulnerable Cisco routers.
The hacking group’s development of new infrastructure suggests “preparation for a period of renewed activity,” the firm warned. SecurityScorecard said it had observed infected routers contacting IP addresses not previously associated with Volt Typhoon.
In 2019, Cisco released two sets of patches – in a period of roughly 10 weeks – for a vulnerability tracked as CVE-2019-1653, which Volt Typhoon likely exploited after finding that the original patch had not resolved the vulnerability. Cisco discontinued the two routers, cutting off new sales in January 2020, and one year later it also stopped issuing firmware updates for new vulnerabilities. SOHO routers are typically easy targets for hackers, given that the vast majority of their owners tend not to install updates. In a 2018 survey of British adults, 86% of respondents said that they never updated their firmware, and 82% said they had continued to use the preconfigured admin password.
Microsoft identified Volt Typhoon in March 2023 and warned that its targets included critical infrastructure in Guam and the United States. Guam is the site of two major American military bases. Microsoft said that the threat actor proxies internet traffic through compromised small office or home office routers in a bid to make itself harder to detect (see: Chinese State Hacker ‘Volt Typhoon’ Targets Guam and US).
New revelations about Chinese hacking activity are a near constant in cybersecurity as makers of security appliances and routers – and Microsoft – find themselves on the losing end of a zero-day contest with Beijing. FBI Director Christopher Wray in September reportedly told a Washington, D.C., cybersecurity conference that “China already has a bigger hacking program than every other major nation combined.”
One indicator of a Volt Typhoon compromise on a router is a previously unspecified web shell, fy.sh
. Infected routers retrieve and execute the web shell from a payload server that has been offline since Monday.
SecurityScorecard said it hasn’t found publicly available examples of the fy.sh
web shell, although two files with the same name appear on VirusTotal. Those files seem to be unrelated to the Volt Typhoon campaign, it said.
In December, Lumen’s Black Lotus Labs spotted Volt Typhoon activity. It said hackers had used Netgear ProSafe firewalls from July 2022 through February 2023 to act as relay nodes for networks compromised by the Chinese state hackers.
——————————————————–