U.S. intelligence agencies have issued a warning about a Chinese botnet that has breached 260,000 devices globally, including routers, firewalls, network-attached storage (NAS), and Internet of Things (IoT) devices from major IT and networking companies. The FBI, National Security Agency (NSA), and the Cyber National Mission Force (CNMF) stated in an advisory that cyber actors linked to the People’s Republic of China (PRC) have utilized the botnet to conduct distributed denial of service (DDoS) attacks and infiltrate targeted U.S. networks. Additionally, the U.S. Justice Department confirmed that a court-authorized law enforcement operation has successfully disrupted the botnet.
This campaign has targeted a total of 66 Common Vulnerabilities and Exposures (CVEs) across products and services from various organizations such as ServiceNow, Fortinet, Zyxel, Apache, QNAP, F5, Ivanti, Juniper, Citrix, WordPress, Ubiquiti, Confluence, Atlassian, Cisco, Netgear, IBM, D-Link, Microsoft, and the CVE-2024-4577 PHP vulnerability. The “Five Eyes” alliance partners, including cybersecurity agencies from Australia, New Zealand, Canada, and the UK, have joined U.S. agencies in addressing this threat.
Integrity Technology Group, a company based in the PRC with ties to the Chinese government, has been identified as the entity controlling and managing the botnet, dubbed “Raptor Train” by Black Lotus Labs. The botnet, active since mid-2021, has maintained tens to hundreds of thousands of compromised devices and currently comprises over 260,000 devices, with nearly half located in the U.S. Devices affected by the botnet have been detected in regions across North America, South America, Europe, Africa, Southeast Asia, and Australia.
Despite the common belief that devices beyond their end-of-life dates are more vulnerable to attacks, many compromised devices in this botnet are likely still supported by their respective manufacturers. Integrity Technology Group has utilized China Unicom Beijing Province Network IP addresses to control the botnet, which were also used to access other infrastructure involved in cyber intrusion activities against U.S. victims. The FBI has interacted with numerous U.S. victims of these intrusions and identified similarities with known cyber threat groups such as Flax Typhoon, RedJuliett, and Ethereal Panda.
The botnet leverages the Mirai family of malware to compromise IoT devices like webcams, DVRs, IP cameras, and Linux-based routers. The malware establishes connections with a command-and-control (C2) server using Transport Layer Security (TLS) on port 443. In addition, it communicates with specific domains like “c.speedtest.net” and over 80 subdomains of “w8510.com” linked to the botnet’s C2 servers. Upstream management servers using TCP port 34125 oversee the botnet’s C2 servers and host a MySQL database containing records of compromised devices.
The NSA has released recommendations in response to this threat, aimed at helping National Security Systems, the Department of Defense, and the Defense Industrial Base networks mitigate these cyber threats. Suggestions include applying patches and updates regularly, disabling unused services and ports, replacing default passwords with strong alternatives, implementing network segmentation, monitoring for abnormal network traffic volumes, planning for device reboots to eliminate non-persistent malware, and replacing end-of-life equipment with supported devices.
In conclusion, the actions taken by U.S. intelligence agencies and law enforcement entities to disrupt the Chinese botnet highlight the ongoing challenges posed by cyber threats. It serves as a reminder of the importance of cybersecurity measures and vigilance in protecting critical infrastructure and sensitive data from malicious actors.