Category: IT|Sep 19, 2024 | Author: Admin

Chinese botnet infects 260,000 SOHO routers, IP cameras with malware

Share on

The FBI and cybersecurity researchers have disrupted a massive Chinese botnet called “Raptor Train” that infected over 260,000 networking devices to target critical infrastructure in the US and in other countries.

 

The botnet has been used to target entities in the military, government, higher education, telecommunications, defense industrial base (DIB), and IT sectors, mainly in the US and Taiwan.

 

Over four years, Raptor Train has grown into a complex, multi-tiered network with an enterprise-grade control system for handling tens of servers and a large number of infected SOHO and consumer devices: routers and modems, NVRs and DVRs, IP cameras, and network-attached storage (NAS) servers.

 

Multi-tiered botnet


Raptor Train started in May 2020 and appears to have remained under the radar until last year when it was discovered by researchers at Black Lotus Labs, the threat research and operations arm at Lumen Technologies, while investigating compromised routers.

 

While the primary payload is a variant of the Mirai malware for distributed denial-of-service (DDoS) attacks, which the researchers call Nosedive, the botnet has not been seen deploying such attacks.

 

In a report today, the researchers describe three tiers of activity within Raptor Train, each for specific operations, e.g. sending out tasks, managing exploitation or payload servers, and command and control (C2) systems.

 

The number of active compromised devices in the botnet fluctuates but researchers believe that more than 200,000 systems have been infected by Raptor Train since it started in May 2020, and it controlled over 60,000 devices at its peak in June last year.

 

At the moment, Black Lotus Labs is tracking around the same number of active infected devices, fluctuating by a few thousand since August.

 

In an alert today about the same botnet, the FBI notes that Raptor Train infected more than 260,000 devices.

 

Speaking at the Aspen Cyber Summit earlier this month, FBI Director Christopher Wray said that Flax Typhoon worked at the direction of the Chinese government.

 

To remove the threat, the FBI executed Court authorized operations that led to taking control of the botnet infrastructure. In response, Flax Typhoon tried to migrate infected devices to new servers "and even conducted a DDOS attack against us," Wray said.

 

"Ultimately as part of this operation we were able to identify thousands of infected devices, and then with court authorization, issued commands to remove malware from them, prying them from China's grip" - Christopher Wray
In a MySQL database retrieved from an upstream management server (Tier 3), the FBI found that in June this year, there were more than 1.2 million records of compromised devices (active and previously compromised), with 385,000 unique systems in the U.S.

 

The FBI also connected the botnet to the Flax Typhoon state-sponsored hackers, saying that the control of Raptor Train was done through the Chinese company Integrity Technology Group (Integrity Tech) using China Unicom Beijing Province Network IP addresses.

 

With an architecture that can handle more than 60 C2s and the bots they manage, Raptor Train typically has tens of thousands of active Tier 1 devices when engaged in campaigns:

 

Modems/Routers:  
ActionTec PK5000  
ASUS RT-*/GT-*/ZenWifi  
TP-LINK  
DrayTek Vigor  
Tenda Wireless  
Ruijie  
Zyxel USG*  
Ruckus Wireless  

VNPT iGate

 

Mikrotik

 

TOTOLINK

 

IP Cameras:

 

D-LINK DCS-*

 

Hikvision

 

Mobotix

 

NUUO

 

AXIS

 

Panasonic

 

NVR/DVR

 

Shenzhen TVT NVRs/DVRs

 

NAS devices:

 

QNAP (TS Series)

 

Fujitsu

 

Synology

 

Zyxel

 

 

The researchers say that Raptor Train operators add devices in Tier 1 likely by exploiting “exploiting more than 20 different device types with both 0-day and n-day (known) vulnerabilities.”

 

Because Nosedive payloads do not have a persistence mechanism, these devices stay in the botnet for about 17 days and the operators recruit new ones as needed.

 

The Tier 2 network is for command and control, exploitation, and payload servers for Tier 1 devices.

 

Black Lotus Labs distinguishes between first-stage and second-stage payload servers, with the former delivering a more generic payload and the latter engaging in more targeted attacks on specific device types.

 

The researchers believe that this may be part of an effort to better hide the zero-day vulnerabilities used in the attacks.

 

Over time, Raptor Train has increased the number of C2 servers, from up to five between 2020 and 2022, to 11 last year, and more than 60 this year between June and August.

 

The management of the entire botnet is done manually over SSH or TLS from Tier 3 systems (called Sparrow nodes by the attacker), which send commands and collect data such as bot information and logs.

 

For easier operation, Raptor Train’s Sparrow nodes provide a web interface (Javascript front-end), backend, and auxiliary functions to generate payloads and exploits.

 

Raptor Train campaigns
Black Lotus Labs has tracked four Raptor Train campaigns since 2020 and discovered dozens of Tier 2 and Tier 3 domains and IP addresses used in the attacks.

 

Starting May 2023, in a campaign that researchers call Canaray, the botnet operators showed a more targeted approach and added to Raptor Train mostly ActionTec PK5000 modems, Hikvision IP cameras, Shenzhen TVT NVRs and ASUS RT- and GT- routers.

 

For the nearly two months during the Canary campaign, one Tier 2 second-stage server infected at least 16,000 devices.

 

The fourth recruitment effort (Oriole campaign) that the researchers observed began in June 2023 and lasted until this September. Last month, the botnet had at least 30,000 devices in Tier 1.

 

The researchers say that the C2 domain w8510[.]com used in the Oriole campaign “became so prominent amongst compromised IoT devices, that by June 3, 2024, it was included in the Cisco Umbrella domain rankings” and that by August it was also in Cloudflare’s Radar top one million domains.

 

“This is a concerning feat because domains that are in these popularity lists often circumvent security tools via domain whitelisting, enabling them to grow and maintain access and further avoid detection” - Black Lotus Labs
According to the researchers, the botnet was used last December in scanning activities that targeted the U.S. military, U.S. government, IT providers, and defense industrial bases.

 

However, it appears that the targeting efforts are global, as the Raptor Train was also used to target a government agency in Kazakhstan.

 

Additionally, Black Lotus Labs notes that the botnet was also involved in exploitation attempts against Atlassian Confluence servers and Ivanti Connect Secure appliances (likely via CVE-2024-21887) at organizations in the same activity sectors.

 

Currently, the Raptor Train botnet is at least partially disrupted as Black Lotus Labs is null-routing traffic to the known infrastructure points, "including their distributed botnet management, C2, payload and exploitation infrastructure."

 

Linked to Chinese state hackers
According to the indicators found during the investigation, Black Lotus Labs assesses with medium to high confidence that the operators of Raptor Train are likely state-sponsored Chinese hackers, specifically the Flax Typhoon group.

 

In support of the theory is not only the choice of targets, which aligns with Chinese interests but also the language used in the codebase and infrastructure, as well as the overlapping of various tactics, techniques, and procedures.

 

The researchers noticed that Tier 3 management node connections to Tier 2 systems over SSH occurred “almost exclusively” during China’s normal workweek hours.

 

Additionally, the description of the functions and interface menus, comments, and references in the codebase were in Chinese.

 

Despite being a sophisticated botnet, there are steps that users and network defenders can take to protect against Raptor Train. For instance, network administrators should check for large outbound data transfers, even if the destination IP is from the same area.

 

Consumers are recommended to reboot their routers regularly and install the latest updates from the vendor. Also, they should replace devices that are no longer supported and don't receive updates (end-of-life systems).

Sponsored Ads:

Comments:


Over 200 malicious apps on Google Play downloaded millions of times

Category: Google|Oct 15, 2024 | Author: Admin

Google warns uBlock Origin and other extensions may be disabled soon

Category: IT|Oct 14, 2024 | Author: Admin

Microsoft deprecates PPTP and L2TP VPN protocols in Windows Server

Category: Microsoft|Oct 13, 2024 | Author: Admin

Microsoft fixes Word bug that deleted documents when saving

Category: Microsoft|Oct 12, 2024 | Author: Admin

Microsoft Outlook bug blocks email logins, causes app crashes

Category: IT|Oct 11, 2024 | Author: Admin

The Internet archive is down - and your user information may have been stolen

Category: IT|Oct 10, 2024 | Author: Admin

Discord blocked in Russia and Turkey for spreading illegal content

Category: IT|Oct 9, 2024 | Author: Admin

Google ordered to open up the Play Store in Epic Games antitrust ruling

Category: Google|Oct 8, 2024 | Author: Admin

Recently patched CUPS flaw can be used to amplify DDoS attacks

Category: IT|Oct 7, 2024 | Author: Admin

Google removes Kaspersky's antivirus software from Play Store

Category: Google|Oct 6, 2024 | Author: Admin

UK nuclear site Sellafield fined $440,000 for cybersecurity shortfalls

Category: IT|Oct 5, 2024 | Author: Admin

Cloudflare blocks largest recorded DDoS attack peaking at 3.8Tbps

Category: IT|Oct 4, 2024 | Author: Admin

Microsoft blocks Windows 11 24H2 on some Intel PCs over BSOD issues

Category: Microsoft|Oct 3, 2024 | Author: Admin

Microsoft Office 2024 now available for Windows and macOS users

Category: Microsoft|Oct 2, 2024 | Author: Admin

HPE Aruba Networking fixes critical flaws impacting Access Points

Category: IT|Oct 1, 2024 | Author: Admin
more