The Volt Typhoon group behind the KV botnet (aka KV-botnet) is trying to recover after the FBI announced that it had taken down the botnet and cleared infected routers of malware.
Last week, the FBI said it had taken down the KV botnet, which was used by hackers from the Chinese group Volt Typhoon (also known as Bronze Silhouette, DEV-0391, Insidious Taurus, and Vanguard Panda) to evade detection during attacks aimed at critical US infrastructure.
It is known that among the devices hacked and added to the botnet were Netgear ProSAFE, Cisco RV320s, and DrayTek Vigor routers, as well as Axis IP cameras. Researchers at
The operation in question began on December 6, 2023, when law enforcement received a court order authorizing the destruction of the botnet after its control servers were hacked. Experts sent commands to the compromised devices to disconnect them from the botnet and prevent Chinese hackers from compromising them again. Another team forced the malware to remove botnet VPN components from devices and blocked hackers from using routers to launch further attacks.
As Black Lotus Labs experts now report, shortly after the FBI attack, the Volt Typhoon began scanning the Internet in search of new vulnerable devices, trying to restore the destroyed botnet. According to researchers, hackers carried out a large-scale attack on 3,045 devices, including a third of all NetGear ProSAFE routers available on the network. As a result, they managed to infect about 630 devices.
In early December 2023, we observed a brief but very active period of exploitation, when attackers tried to restore their control infrastructure and return the botnet to a working state, experts write. “Over the three days from December 8 to December 11, 2023, KV botnet operators attacked about 33% of all NetGear ProSAFE devices on the Internet for re-exploitation.”
Black Lotus Labs says it thwarted attempts by Chinese hackers to revive the botnet by implementing null routing on all attacker control and payload servers from December 12, 2023, to January 12, 2024. Since then, the last KV botnet beacon was reportedly seen on January 3, and no command and control servers have ever come online.
“The lack of active C& C infrastructure, coupled with court-sanctioned FBI actions against the KV bot and active null-routing for the current and new KV cluster infrastructure, is a sure sign that the KV cluster is more inactive,” said Black Lotus Labs.
The operation in question began on December 6, 2023, when law enforcement received a court order authorizing the destruction of the botnet after its control servers were hacked. Experts sent commands to the compromised devices to disconnect them from the botnet and prevent Chinese hackers from compromising them again. Another team forced the malware to remove botnet VPN components from devices and blocked hackers from using routers to launch further attacks.
As Black Lotus Labs experts now report, shortly after the FBI attack, the Volt Typhoon began scanning the Internet in search of new vulnerable devices, trying to restore the destroyed botnet. According to researchers, hackers carried out a large-scale attack on 3,045 devices, including a third of all NetGear ProSAFE routers available on the network. As a result, they managed to infect about 630 devices.
However, signs have already been discovered that the attackers created a separate botnet cluster called x.sh back in January 2023. It consists of infected Cisco routers and uses the Phys.sh web shell, as SecurityScorecard warned about last month.
The KV botnet is believed to be just “one form of infrastructure used by Volt Typhoon to disguise its activities.” Therefore, it is expected that now the actions of the FBI and cybersecurity experts will encourage hackers to switch to using another hidden network.
“A significant percentage of network equipment used around the world is functioning perfectly but is no longer supported,” the researchers say. “End users are faced with difficult financial choices when a device reaches this point, and many are unaware that the router or firewall is reaching the end of its life. Modern attackers are well aware that this is fertile ground for exploitation.”