- A joint advisory from 10 nations warns that Chinese state-sponsored groups are using large botnets of compromised IoT and SOHO devices.
- These secret networks allow attackers to hide their location, launch DDoS attacks, spread malware and steal sensitive data at scale.
- Agencies are urging organizations to patch devices, enforce strong credentials and monitor for indicators of compromise to reduce exposure.
Most Chinese state-sponsored threat actors are using botnets of compromised IoT and SOHO devices as their cybercriminal infrastructure, says a new 10-nation joint security advisory.
Earlier this week, security agencies from 10 countries, including the NSA, DOJ, NCSC and others, published a new paper called “Defending against China-nexus’ secret network of compromised devices,” which claims these groups use botnets to steal people’s data or disrupt activities.
“Anyone who is a target of China-nexus cyber actors may be affected by the use of secret networks,” the report said. “The use of covert networks of compromised devices – also known as botnets – to facilitate malicious cyber activity is not new, but cyber actors linked to China are now using them strategically and on a large scale.”
The article continues below
Raptor train
These actors would look for vulnerable or poorly protected Internet-connected devices, such as small office/home office (SOHO) routers, Internet of Things (IoT) devices such as smart TVs, smart cameras, DVRs, and others, and infect them with malware. This malware would give them total control over these devices, which they can later use to hide their location, launch DDoS (Distributed Denial of Service) attacks, deploy more malware, or steal sensitive information.
One of the botnets mentioned in the report is called Raptor Train, which operated more than 200,000 devices worldwide. According to The Register, it was the FBI that previously linked this botnet to a Chinese state-sponsored group called Flax Typhoon.
There are a number of “typhoon” groups, such as Salt Typhoon, Brass Typhoon, Volt Typhoon and others. It seems that they have all used these botnets in their activities. Volt Typhoon, for example, used outdated Cisco and Netgear routers to establish the KV Botnet.
To protect your endpoints from being infected, the agencies advise keeping them up to date with the latest patches, keeping strong login credentials and regularly scanning for indicators of compromise.
Via The register
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
