Top Third-Party Data Breaches in 2023 Last updated December 4, 2023 Third-party data breaches have become an all-too-common occurrence,…
Volt Typhoon APT group targeted legacy SOHO routers; CVE-2021-40539, CVE-2021-27860
On January 31, 2024 the FBI shut down Volt Typhoon APT group targeting US infrastructure with hidden “KV-Botnet”.
Researchers have uncovered a hidden botnet dubbed “KV-Botnet” used to attack crucial US organizations like government agencies and communication providers. This botnet infects devices commonly used in small offices and homes, making them vulnerable to further infiltration.
The report, published by Lumen’s Black Lotus Labs, reveals that KV-Botnet can infect devices from multiple vendors and stealthily spread within networks. Notably, the Chinese state-sponsored hacking group, Volt Typhoon, has been linked to using KV-Botnet in past attacks against telecoms, an ISP, and even a US government office in Guam. While Volt Typhoon is a major player, experts believe other attackers are likely using this hidden threat as well.
The FBI, as part of this effort, have called on the manufacturers to “eliminate defects in SOHO routers” that were targeted.
“Older technologies end up with an ‘end of life’ status at some point on the product timeline. These make for very handy targets by threat actors because many remain in use serving their purpose, particularly in the environment of a small office or home office (SOHO) environment.” says Victor Gamra, CEO at FortifyData. “In this instance, overlooked routers that are still in use were able to be compromised as part of a command-and-control C2 network from which anonymized traffic could be used to conduct attacks on our critical infrastructure.”
FortifyData, which monitors cyber threat intelligence activity and APT group targets that enriches cyber threat assessment findings, is offering complimentary assessments to determine if the associated routers and services with these CVEs are present in your IT environment, or at your third parties.
Notable CVEs targeted by Volt Typhoon:
CVE-2019-1653 – A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Router could allow an unauthenticated, remote attacker to retrieve sensitive information.
CVE-2019-1652 – A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an authenticated, remote attacker with administrative privileges on an affected device to execute arbitrary commands.
CVE-2021-40539 – Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution.
CVE-2021-27860 – A vulnerability in the web management interface of FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p92 and 10.2.2r44p1 allows a remote, unauthenticated attacker to upload a file to any location on the filesystem.
