FBI打击KV僵尸网络后，威胁行为者调整策略

The threat actors behind the KV-botnet made "behavioral changes" to the malicious network as U.S. law enforcement began issuing commands to neutralize the activity.

KV僵尸网络的威胁行为者在美国执法部门发布命令以中和活动的同时，对恶意网络进行了"行为变更"。

KV-botnet is the name given to a network of compromised small office and home office (SOHO) routers and firewall devices across the world, with one specific cluster acting as a covert data transfer system for actors, including Volt Typhoon (aka Bronze Silhouette, Insidious Taurus, or Vanguard Panda).

KV僵尸网络是全球范围内一组受损的小型办公室和家庭办公室（SOHO）路由器和防火墙设备的名称，其中一个特定的群集充当了行为者（包括Volt Typhoon（又称Bronze Silhouette，Insidious Taurus或Vanguard Panda））的秘密数据传输系统。

Active since at least February 2022, it was first documented by the Black Lotus Labs team at Lumen Technologies in mid-December 2023. The botnet is known to comprise two main sub-groups, viz. KV and JDY, with the latter principally used for scanning potential targets for reconnaissance.

自2022年2月以来，它至少已经活跃，于2023年12月中旬由Lumen Technologies的Black Lotus Labs团队首次记录。该僵尸网络已知由两个主要子组成，即KV和JDY，后者主要用于对潜在目标进行侦察扫描。

Late last month, the U.S. government announced a court-authorized disruption effort to take down the KV cluster, which is typically reserved for manual operations against high-profile targets chosen after broader scanning via the JDY sub-group.

上个月底，美国政府宣布了一项经法院授权的打击行动，以关闭KV群集，这通常是针对通过JDY子组进行更广泛扫描后选择的高调目标的手动操作。

Now, according to new findings from the cybersecurity firm, the JDY cluster fell silent for roughly fifteen days following public disclosure and as a byproduct of the U.S. Federal Bureau of Investigation (FBI) undertaking.

根据网络安全公司的新发现，JDY群集在公开披露后约15天保持沉默，也是美国联邦调查局（FBI）进行的副产品。

"In mid-December 2023, we observed this activity cluster hovering around 1500 active bots," security researcher Ryan English said. "When we sampled the size of this cluster in mid-January 2024 its size dwindled to approximately 650 bots."

"在2023年12月中旬，我们注意到该活动群集的活跃僵尸约为1500台，"安全研究员Ryan English表示。"当我们在2024年1月中旬对这个群集的规模进行抽样时，其规模减少到约650台僵尸左右。"

Given that the takedown actions began with a signed warrant issued on December 6, 2023, it's fair to assume that the FBI began transmitting commands to routers located in the U.S. sometime on or after that date to wipe the botnet payload and prevent them from being re-infected.

考虑到拘留行动始于2023年12月6日签发的拘留令，可以合理地假设FBI开始在该日期之后的某个时候向位于美国的路由器发送命令，以清除僵尸网络的载荷并防止它们再次被感染。

"We observed the KV-botnet operators begin to restructure, committing eight straight hours of activity on December 8, 2023, nearly ten hours of operations the following day on December 9, 2023, followed by one hour on December 11, 2023," Lumen said in a technical report shared with The Hacker News.

"我们注意到KV僵尸网络的运营商开始进行重组，于2023年12月8日连续进行了八个小时的活动，随后在2023年12月9日进行了近十个小时的操作，之后在2023年12月11日进行了一小时的操作，"Lumen在与The Hacker News分享的技术报告中说。

During this four-day period, the threat actor was spotted interacting with 3,045 unique IP addresses that were associated with NETGEAR ProSAFEs (2,158), Cisco RV 320/325 (310), Axis IP cameras (29), DrayTek Vigor routers (17), and other unidentified devices (531).

在这四天的时间里，威胁行为者被发现与与NETGEAR ProSAFEs（2158）、Cisco RV 320/325（310）、Axis IP摄像机（29）、DrayTek Vigor路由器（17）和其他未经识别的设备（531）相关的3045个唯一IP地址进行交互。

Also observed in early December 2023 was a massive spike in exploitation attempts from the payload server, indicating the adversary's likely attempts to re-exploit the devices as they detected their infrastructure going offline. Lumen said it also took steps to null-route another set of backup servers that became operational around the same time.

同样在2023年12月初观察到的是从载荷服务器进行大规模利用尝试的激增，表明对手很可能试图重新利用设备，因为它们检测到其基础设施下线。Lumen表示他们还采取措施将在同一时间启动的另一组备份服务器设置为null-route。

It's worth noting that the operators of the KV-botnet are known to perform their own reconnaissance and targeting while also supporting multiple groups like Volt Typhoon. Interestingly, the timestamps associated with exploitation of the bots correlates to a certain country working hours.

值得注意的是，KV僵尸网络的运营商以其自己的侦察和定位而闻名，同时还支持像Volt Typhoon这样的多个组。有趣的是，与僵尸网络的利用时间戳相关的是某一区域的工作时间。

"Our telemetry indicates that there were administrative connections into the known payload servers from IP addresses associated with CT," Danny Adamitis, principal information security engineer at Black Lotus Labs, told The Hacker News.

"我们的遥测表明，存在与CT相关的IP地址从已知的载荷服务器中进行了管理连接，"Black Lotus Labs的首席信息安全工程师Danny Adamitis告诉The Hacker News。

What's more, the statement from the U.S. Justice Department described the botnet as controlled by "a certain country state-sponsored hackers."

此外，美国司法部的声明将该僵尸网络描述为"某一国家赞助的黑客"。

This raises the possibility that the botnet "was created by an organization supporting the Volt Typhoon hackers; whereas if the botnet was created by Volt Typhoon, we suspect they would have said 'nation-state' actors," Adamitis added.

这引发了一个可能性，即该僵尸网络"是由支持Volt Typhoon黑客的组织创建的；而如果僵尸网络是由Volt Typhoon创建的，我们怀疑他们会说是'国家'行为者。"Adamitis补充道。

There are also signs that the threat actors established a third related-but-distinct botnet cluster dubbed x.sh as early as January 2023 that's composed of infected Cisco routers by deploying a web shell named "fys.sh," as highlighted by SecurityScorecard last month.

还有迹象表明，威胁行为者在2023年1月早些时候建立了一个第三个相关但独立的僵尸网络群集，该群集被称为x.sh，由感染的Cisco路由器组成，部署了一个名为"fys.sh"的Web shell，正如SecurityScorecard上个月所强调的。

But with KV-botnet being just "one form of infrastructure used by Volt Typhoon to obfuscate their activity," it's expected that the recent wave of actions will prompt the state-sponsored actors to presumably transition to another covert network in order to meet their strategic goals.

但考虑到KV僵尸网络只是Volt Typhoon用于混淆其活动的"基础设施的一种形式"，预计最近的行动将促使这些国家赞助的行为者转向另一个秘密网络，以实现他们的战略目标。

"A significant percent of all networking equipment in use around the world is functioning perfectly well, but is no longer supported," English said. "End users have a difficult financial choice when a device reaches that point, and many aren't even aware that a router or firewall is at the end of its supported life.

"全球范围内使用的所有网络设备中，有相当大的一部分工作正常，但不再受支持，"Ryan English表示。"当设备达到这一点时，最好的选择是更换，但这并非总是可行的选择。"

"Advanced threat actors are well aware that this represents fertile ground for exploitation. Replacing unsupported devices is always the best choice, but not always feasible."

"先进的威胁行为者非常清楚，这代表了可以利用的肥沃土。替换不受支持的设备始终是最佳选择，但并非总是可行。"

"Mitigation involves defenders adding their edge devices to the long list of those they already have to patch and update as often as available, rebooting devices and configuring EDR or SASE solutions where applicable, and keeping an eye on large data transfers out of the network. Geofencing is not a defense to rely on, when the threat actor can hop from a nearby point."

"缓解措施包括将防御者的边缘设备添加到已有的大量设备中，尽快进行补丁和更新，重新启动设备并在适用的地方配置EDR或SASE解决方案，并注意网络中的大型数据传输。地理围栏不是一种可以依赖的防御手段，当威胁行为者可以从附近跳跃时。"

原文始发于微信公众号（知机安全）：FBI打击KV僵尸网络后，威胁行为者调整策略