FBI confirms: China-related attack hits 260,000 devices

A new joint cybersecurity alert from the Federal Bureau of Investigation, Cyber ​​National Mission Force, and National Security Agency uncovers new activities by the threat actor Flax Typhoon.

The cyber attackers compromised over 260,000 routers, firewalls, network attached storage and Internet of Things devices in small offices/home offices (SOHO), creating a botnet capable of launching distributed denial-of-service attacks or targeted attacks on US networks.

Who is Flax Typhoon?

Flax Typhoon, also known as RedJuliett and Ethereal Panda, is a China-based threat actor that has been active since at least mid-2021, according to Microsoft. The tech giant reported that Flax Typhoon has targeted both Taiwan-based organizations and other victims in Southeast Asia, North America, and Africa for cyberespionage purposes.

According to the FBI’s joint statement, the group is behind a China-based company called Integrity Tech, which has ties to the Chinese government.

Flax Typhoon used several different IP addresses belonging to Chinese provider China Unicom Beijing Province to control and manage the botnet. The group also used these addresses to access other operational infrastructure used in computer attacks against US companies.

Further reports show that China-based threat actors have targeted companies and governments around the world in recent years.

SEE: Why your company needs cybersecurity awareness training (TechRepublic Premium)

Botnet “Raptor Train”

Black Lotus Labs, the threat intelligence team of cybersecurity firm Lumen, has published a report on Flax Typhoon compromising SOHO routers and other devices. The resulting botnet was dubbed “Raptor Train” and has been tracked for four years.

The affected devices were infected by a variant of the notorious Mirai malware family, which is the weapon of choice for cybercriminals seeking to compromise IoT devices as they can easily modify the code for their own purposes.

In the variant observed by the FBI, the malware automates the compromise of various devices by exploiting known vulnerabilities. The oldest exploited vulnerabilities date back to 2015, while the most recent occurred in July 2024. Once compromised, the device sends system and network information to a C2 server controlled by the attacker.

In September 2024, more than 80 subdomains of a w8510.com domain were connected to the botnet.

Almost half of the affected devices are in the USA

As of June 2024, the management servers running a front-end software called “Sparrow” that allowed attackers to control compromised devices contained over 1.2 million records. This includes over 385,000 individual devices in the U.S.

A count of infected devices conducted in June 2024 found that almost half (47.9%) of the infected devices were located in the United States, followed by Vietnam (8%) and Germany (7.2%).

More than 50 Linux systems were compromised, ranging from unsupported, outdated versions to currently supported versions running Linux kernel versions from 2.6 to 5.4.

The Sparrow interface allowed the threat actor to not only list compromised devices, but also manage vulnerabilities and exploits, upload or download files, execute remote commands, and tailor IoT-based DDoS attacks at scale.

The devices infected by the botnet include many brands, including routers from ASUS, TP-LINK and Zyxel. IP cameras such as D-LINK DCS, Hikvision, Mobotix, NUUO, AXIS and Panasonic were also affected. NAS from QNAP, Synology, Fujitsu and Zyxel were also affected.

FBI Director Christopher Wray announced in a keynote speech at the Aspen Cyber ​​​​Summit 2024 that court approval allows the FBI to issue orders to remove the malware from infected devices.

How companies can protect themselves from the flat typhoon

The FBI recommends taking the following immediate actions:

• Disable unused services and ports on routers and IoT devices. Services such as Universal Plug And Play or file sharing services could be abused by attackers, so all services should be disabled when they are not needed.
• To ensure that IoT devices do not pose a higher risk of compromise, network segmentation must be implemented and the principle of least privilege must be applied to ensure that devices can only perform their intended function.
• Be aware of high levels of network traffic. Companies should prepare for abnormal levels of traffic that could be DDoS attacks.
• Provide patches and updates for all operating systems, software and firmware. Regular patching reduces the exploitation of vulnerabilities.
• Replace device default passwords with stronger ones so that an attacker cannot easily log in using the default credentials.

The federal agency also suggested that companies schedule device reboots to remove any fileless malware that may be running in memory and replace outdated devices with supported ones.

Announcement: I work for Trend Micro, but the views expressed in this article are my own.