Security News > 2023 > December > Stealthy KV-botnet hijacks SOHO routers and VPN devices
The Chinese state-sponsored APT hacking group known as Volt Typhoon has been linked to a sophisticated botnet named 'KV-botnet' since at least 2022 to attack SOHO routers in high-value targets.
Volt Typhoon commonly targets routers, firewalls, and VPN devices to proxy malicious traffic so it blends with legitimate traffic to remain undetected.
The botnet targets end-of-life devices used by SOHO entities that don't maintain a sound security stance.
The attacks initially focused on Cisco RV320s, DrayTek Vigor routers, and NETGEAR ProSAFE firewalls, but the malware was later expanded to also target Axis IP cameras like models M1045-LW, M1065-LW, and p1367-E. Volt Typhoon engages in a complex infection chain that involves multiple files like bash scripts, halting specific processes and removing security tools running on the infected device.
Black Lotus Labs links this botnet to Volt Typhoon after finding overlaps in IP addresses, similar tactics, and working times that align with China Standard Time.
The advanced obfuscation techniques and covert data transfer channels seen in KV-botnet attacks, like employing tunneling layers, overlap with previously documented Volt Typhoon tactics, as do the target selection and interest in specific regions and organization types.