Chinese Botware

apdxyk · Sep 21, 2024

And their list of impacted devices:

• Modems/Routers

ActionTec PK5000

ASUS RT-*/GT-*/ZenWifi

TP-LINK

DrayTek Vigor

Tenda Wireless

Ruijie

Zyxel USG*

Ruckus Wireless

VNPT iGate

Mikrotik

TOTOLINK

IP Cameras

D-LINK DCS-*

Hikvision

Mobotix

NUUO

AXIS

Panasonic

NVR/DVR

Shenzhen TVT NVRs/DVRs

NAS

QNAP (TS Series)

Fujitsu

Synology

Zyxel

If you own one of the above branded pieces of equipment, check the manufacturer's website for updated firmware. If you suspect it has been compromised, a full factory reset and firmware recovery is probably the only option to ensure code remnants don't persist.

maxinger · Sep 21, 2024

apdxyk said:
And their list of impacted devices:

• Modems/Routers

ActionTec PK5000

ASUS RT-*/GT-*/ZenWifi

TP-LINK

DrayTek Vigor

Tenda Wireless

Ruijie

Zyxel USG*

Ruckus Wireless

VNPT iGate

Mikrotik

TOTOLINK

IP Cameras

D-LINK DCS-*

Hikvision

Mobotix

NUUO

AXIS

Panasonic

NVR/DVR

Shenzhen TVT NVRs/DVRs

NAS

QNAP (TS Series)

Fujitsu

Synology

Zyxel

If you own one of the above branded pieces of equipment, check the manufacturer's website for updated firmware. If you suspect it has been compromised, a full factory reset and firmware recovery is probably the only option to ensure code remnants don't persist.
More...

The message sounds odd as OP did not present any evidence of China Botware.

Who knows, after you have done the full factory reset and firmware recovery,
you might end up like what happpened in Lebanon.

NoahA · Sep 21, 2024

apdxyk said:
If you own one of the above branded pieces of equipment, check the manufacturer's website for updated firmware. If you suspect it has been compromised, a full factory reset and firmware recovery is probably the only option to ensure code remnants don't persist.
More...

I don't know enough about the interplay between firmware and hardware, but I suspect that if products are truly compromised, even loading new firmware won't solve anything. There could easily be corruption at the hardware level that super-cedes any firmware instructions. Maybe an extra chip that bypasses any software instructions and does what it wants to do anyway??

mervyn · Sep 21, 2024

what makes you think that you are so important and someone must hack your equipment to get you?

schizo · Sep 21, 2024

mervyn said:
what makes you think that you are so important and someone must hack your equipment to get you?
More...

Your online banking activities and your sexual fantasies.

ph1l · Sep 21, 2024

maxinger said:
The message sounds odd as OP did not present any evidence of China Botware.
More...

https://www.bleepingcomputer.com/ne...0-000-routers-ip-cameras-with-botnet-malware/

Chinese botnet infects 260,000 SOHO routers, IP cameras with malware
By
Ionut Ilascu

September 18, 2024

12:00 PM

The FBI and cybersecurity researchers have disrupted a massive Chinese botnet called “Raptor Train” that infected over 260,000 networking devices to target critical infrastructure in the US and in other countries.

The botnet has been used to target entities in the military, government, higher education, telecommunications, defense industrial base (DIB), and IT sectors, mainly in the US and Taiwan.

Over four years, Raptor Train has grown into a complex, multi-tiered network with an enterprise-grade control system for handling tens of servers and a large number of infected SOHO and consumer devices: routers and modems, NVRs and DVRs, IP cameras, and network-attached storage (NAS) servers.

The video player is currently playing an ad.

Multi-tiered botnet
Raptor Train started in May 2020 and appears to have remained under the radar until last year when it was discovered by researchers at Black Lotus Labs, the threat research and operations arm at Lumen Technologies, while investigating compromised routers.

While the primary payload is a variant of the Mirai malware for distributed denial-of-service (DDoS) attacks, which the researchers call Nosedive, the botnet has not been seen deploying such attacks.

In a report today, the researchers describe three tiers of activity within Raptor Train, each for specific operations, e.g. sending out tasks, managing exploitation or payload servers, and command and control (C2) systems.

Raptor Train botnet architecture
source: Black Lotus Labs
The number of active compromised devices in the botnet fluctuates but researchers believe that more than 200,000 systems have been infected by Raptor Train since it started in May 2020, and it controlled over 60,000 devices at its peak in June last year.

At the moment, Black Lotus Labs is tracking around the same number of active infected devices, fluctuating by a few thousand since August.

In an alert today about the same botnet, the FBI notes that Raptor Train infected more than 260,000 devices.

FBI's statistics on Raptor Train global infections
source: FBI
Speaking at the Aspen Cyber Summit earlier this month, FBI Director Christopher Wray said that Flax Typhoon worked at the direction of the Chinese government.

To remove the threat, the FBI executed Court authorized operations that led to taking control of the botnet infrastructure. In response, Flax Typhoon tried to migrate infected devices to new servers "and even conducted a DDOS attack against us," Wray said.

"Ultimately as part of this operation we were able to identify thousands of infected devices, and then with court authorization, issued commands to remove malware from them, prying them from China's grip" - Christopher Wray

In a MySQL database retrieved from an upstream management server (Tier 3), the FBI found that in June this year, there were more than 1.2 million records of compromised devices (active and previously compromised), with 385,000 unique systems in the U.S.

The FBI also connected the botnet to the Flax Typhoon state-sponsored hackers, saying that the control of Raptor Train was done through the Chinese company Integrity Technology Group (Integrity Tech) using China Unicom Beijing Province Network IP addresses.

With an architecture that can handle more than 60 C2s and the bots they manage, Raptor Train typically has tens of thousands of active Tier 1 devices when engaged in campaigns:

Modems/Routers
ActionTec PK5000 ASUS RT-*/GT-*/ZenWifi
TP-LINK DrayTek Vigor
Tenda Wireless Ruijie
Zyxel USG* Ruckus Wireless
VNPT iGate Mikrotik
TOTOLINK

IP Cameras
D-LINK DCS-* Hikvision
Mobotix NUUO
AXIS Panasonic
NVR/DVR Shenzhen TVT NVRs/DVRs

NAS devices
QNAP (TS Series) Fujitsu
Synology Zyxel
The researchers say that Raptor Train operators add devices in Tier 1 likely by exploiting “exploiting more than 20 different device types with both 0-day and n-day (known) vulnerabilities.”

Because Nosedive payloads do not have a persistence mechanism, these devices stay in the botnet for about 17 days and the operators recruit new ones as needed.

The Tier 2 network is for command and control, exploitation, and payload servers for Tier 1 devices.

Black Lotus Labs distinguishes between first-stage and second-stage payload servers, with the former delivering a more generic payload and the latter engaging in more targeted attacks on specific device types.

The researchers believe that this may be part of an effort to better hide the zero-day vulnerabilities used in the attacks.

Over time, Raptor Train has increased the number of C2 servers, from up to five between 2020 and 2022, to 11 last year, and more than 60 this year between June and August.

The management of the entire botnet is done manually over SSH or TLS from Tier 3 systems (called Sparrow nodes by the attacker), which send commands and collect data such as bot information and logs.

For easier operation, Raptor Train’s Sparrow nodes provide a web interface (Javascript front-end), backend, and auxiliary functions to generate payloads and exploits.

Raptor Train campaigns
Black Lotus Labs has tracked four Raptor Train campaigns since 2020 and discovered dozens of Tier 2 and Tier 3 domains and IP addresses used in the attacks.

Starting May 2023, in a campaign that researchers call Canaray, the botnet operators showed a more targeted approach and added to Raptor Train mostly ActionTec PK5000 modems, Hikvision IP cameras, Shenzhen TVT NVRs and ASUS RT- and GT- routers.

For the nearly two months during the Canary campaign, one Tier 2 second-stage server infected at least 16,000 devices.

The fourth recruitment effort (Oriole campaign) that the researchers observed began in June 2023 and lasted until this September. Last month, the botnet had at least 30,000 devices in Tier 1.

The researchers say that the C2 domain w8510[.]com used in the Oriole campaign “became so prominent amongst compromised IoT devices, that by June 3, 2024, it was included in the Cisco Umbrella domain rankings” and that by August it was also in Cloudflare’s Radar top one million domains.

“This is a concerning feat because domains that are in these popularity lists often circumvent security tools via domain whitelisting, enabling them to grow and maintain access and further avoid detection” - Black Lotus Labs

According to the researchers, the botnet was used last December in scanning activities that targeted the U.S. military, U.S. government, IT providers, and defense industrial bases.

However, it appears that the targeting efforts are global, as the Raptor Train was also used to target a government agency in Kazakhstan.

Additionally, Black Lotus Labs notes that the botnet was also involved in exploitation attempts against Atlassian Confluence servers and Ivanti Connect Secure appliances (likely via CVE-2024-21887) at organizations in the same activity sectors.

Currently, the Raptor Train botnet is at least partially disrupted as Black Lotus Labs is null-routing traffic to the known infrastructure points, "including their distributed botnet management, C2, payload and exploitation infrastructure."

Linked to Chinese state hackers
According to the indicators found during the investigation, Black Lotus Labs assesses with medium to high confidence that the operators of Raptor Train are likely state-sponsored Chinese hackers, specifically the Flax Typhoon group.

In support of the theory is not only the choice of targets, which aligns with Chinese interests but also the language used in the codebase and infrastructure, as well as the overlapping of various tactics, techniques, and procedures.

The researchers noticed that Tier 3 management node connections to Tier 2 systems over SSH occurred “almost exclusively” during China’s normal workweek hours.

Additionally, the description of the functions and interface menus, comments, and references in the codebase were in Chinese.

Despite being a sophisticated botnet, there are steps that users and network defenders can take to protect against Raptor Train. For instance, network administrators should check for large outbound data transfers, even if the destination IP is from the same area.

Consumers are recommended to reboot their routers regularly and install the latest updates from the vendor. Also, they should replace devices that are no longer supported and don't receive updates (end-of-life systems).
More...

d08 · Sep 22, 2024

mervyn said:
what makes you think that you are so important and someone must hack your equipment to get you?
More...

My cloud VPS where my systems run was compromised unknown to me. I checked the logs and the same IP from Russia spent a lot of time inside and even returned many months later.
You don't have to be important, you could just have some money or resources that are valuable.
Why do you assume only the Chinese government knows about these holes and not some other money-driven groups?

mervyn · Sep 22, 2024

d08 said:
My cloud VPS where my systems run was compromised unknown to me. I checked the logs and the same IP from Russia spent a lot of time inside and even returned many months later.
You don't have to be important, you could just have some money or resources that are valuable.
Why do you assume only the Chinese government knows about these holes and not some other money-driven groups?
More...

why would you have private server? local nas is good enough.

d08 · Sep 22, 2024

mervyn said:
why would you have private server? local nas is good enough.
More...

Silly question. I live in an area with tropical storms where power is lost frequently. On top of that why would I go for poor latency when I can have a server less than 100 miles from my broker?
Ignoring all that, a home computer (especially MS Windows) is ever more prone to infiltration. My case was due to my own stupidity, Linux otherwise is secure.

nursebee · Sep 23, 2024

Will this advice keep these from exploding?