The Cybersecurity and Infrastructure Security Agency has advised SOHO router manufacturers to strengthen their security against the ongoing Volt Typhoon attacks.
CISA’s Guidelines Against Volt Typhoon Attacks
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory to manufacturers of small office/home office (SOHO) routers. They are advised to strengthen the security of their devices to protect against ongoing attacks, particularly those orchestrated by the Chinese state-sponsored hacking group known as Volt Typhoon AKA Bronze Silhouette.
In collaboration with the Federal Bureau of Investigation (FBI), CISA has developed new guidelines for vendors. These guidelines specifically emphasize the need to address vulnerabilities in the web management interfaces (WMIs) of SOHO routers during the design and development stages.
They were also urged to adjust the routers’ default configuration to automate security updates, require manual overrides when disabling security settings, and only allow access to the routers’ WMI from devices connected to the local area network.
CISA Urges Manufactures to Build Security into Design, Development, and Maintenance
“CISA and FBI are urging SOHO router manufacturers to build security into the design, development, and maintenance of SOHO routers to eliminate the path these threat actors are taking to (1) compromise these devices and (2) use these devices as launching pads to further compromise U.S. critical infrastructure entities,”
“CISA and FBI also urge manufacturers to protect against Volt Typhoon activity and other cyber threats by disclosing vulnerabilities via the Common Vulnerabilities and Exposures (CVE) program as well as by supplying accurate Common Weakness Enumeration (CWE) classification for these vulnerabilities.
“The Alert also urges manufacturers to implement incentive structures that prioritize security during product design and development.”
CISA said in its advisory.
Volt Typhoon Attacks Are Linked to SOHO Router Botnet
According to CISA’s recent alert, the attacks on SOHO routers by Volt Typhoon are likely linked to the KV-botnet malware. This malware, which has been associated with Chinese cyberspies, has been targeting these devices since at least August 2022.
In a U.S. government advisory from June 2023, it was assessed that the threat group is actively working on establishing infrastructure that could potentially disrupt communication networks throughout the United States.
In a previous report by Microsoft, it was revealed that Chinese state-sponsored hackers have been actively targeting and infiltrating critical infrastructure organizations in the United States since at least mid-2021. Notably, Guam, an island hosting multiple U.S. military bases, was among the targeted locations.
Volt Typhoon, the hacking group associated with China, has a known modus operandi of focusing on routers, firewalls, and VPN devices. They employ tactics such as proxying malicious traffic through these devices, blending it with legitimate traffic to evade detection during their attacks.
According to the Lumen Technologies Black Lotus Labs team, the hackers specifically target Netgear ProSAFE firewalls, Cisco RV320s, DrayTek Vigor routers, and Axis IP cameras.
“The campaign infects devices at the edge of networks, a segment that has emerged as a soft spot in the defensive array of many enterprises, compounded by the shift to remote work in recent years,”
Lumen Technologies said.
The KV-botnet has been utilized to establish a covert data transfer network, enabling a series of attacks on various organizations. These targeted entities include U.S. military entities, telecommunication and internet service providers, a government entity in Guam, and a European renewable energy firm. The wide range of targets highlights the extensive reach and impact of these attacks.
FBI Takes Down Volt Typhoon
According to Reuters, it has been reported that the U.S. government has taken action to dismantle a portion of Volt Typhoon’s infrastructure in recent months. These efforts reflect the government’s proactive stance in addressing the threat posed by this hacking group.
FBI Director Christopher Wray said the FBI disrupted the Volt Typhoon that was targeting US water, transportation, energy, and communications infrastructure.
The FBI seized control of hundreds of routers that were compromised in the Volt Typhoon attacks and were used as bases to infiltrate sensitive systems. This action removed malware and blocked reinfections on the routers.
US officials warned that China far outnumbers the US in cyber capabilities and urged more investment in US cyber defenses.
US officials said the disrupted operation was just “the tip of the iceberg” and China’s hacking poses serious threats to critical US infrastructure services and national security.