admin 2024年2月8日14:50:09评论16 views字数 5984阅读19分56秒阅读模式


The threat actors behind the KV-botnet made "behavioral changes" to the malicious network as U.S. law enforcement began issuing commands to neutralize the activity.


KV-botnet is the name given to a network of compromised small office and home office (SOHO) routers and firewall devices across the world, with one specific cluster acting as a covert data transfer system for actors, including Volt Typhoon (aka Bronze Silhouette, Insidious Taurus, or Vanguard Panda).

KV僵尸网络是全球范围内一组受损的小型办公室和家庭办公室(SOHO)路由器和防火墙设备的名称,其中一个特定的群集充当了行为者(包括Volt Typhoon(又称Bronze Silhouette,Insidious Taurus或Vanguard Panda))的秘密数据传输系统。

Active since at least February 2022, it was first documented by the Black Lotus Labs team at Lumen Technologies in mid-December 2023. The botnet is known to comprise two main sub-groups, viz. KV and JDY, with the latter principally used for scanning potential targets for reconnaissance.

自2022年2月以来,它至少已经活跃,于2023年12月中旬由Lumen Technologies的Black Lotus Labs团队首次记录。该僵尸网络已知由两个主要子组成,即KV和JDY,后者主要用于对潜在目标进行侦察扫描。

Late last month, the U.S. government announced a court-authorized disruption effort to take down the KV cluster, which is typically reserved for manual operations against high-profile targets chosen after broader scanning via the JDY sub-group.


Now, according to new findings from the cybersecurity firm, the JDY cluster fell silent for roughly fifteen days following public disclosure and as a byproduct of the U.S. Federal Bureau of Investigation (FBI) undertaking.


"In mid-December 2023, we observed this activity cluster hovering around 1500 active bots," security researcher Ryan English said. "When we sampled the size of this cluster in mid-January 2024 its size dwindled to approximately 650 bots."

"在2023年12月中旬,我们注意到该活动群集的活跃僵尸约为1500台,"安全研究员Ryan English表示。"当我们在2024年1月中旬对这个群集的规模进行抽样时,其规模减少到约650台僵尸左右。"

Given that the takedown actions began with a signed warrant issued on December 6, 2023, it's fair to assume that the FBI began transmitting commands to routers located in the U.S. sometime on or after that date to wipe the botnet payload and prevent them from being re-infected.


"We observed the KV-botnet operators begin to restructure, committing eight straight hours of activity on December 8, 2023, nearly ten hours of operations the following day on December 9, 2023, followed by one hour on December 11, 2023," Lumen said in a technical report shared with The Hacker News.

"我们注意到KV僵尸网络的运营商开始进行重组,于2023年12月8日连续进行了八个小时的活动,随后在2023年12月9日进行了近十个小时的操作,之后在2023年12月11日进行了一小时的操作,"Lumen在与The Hacker News分享的技术报告中说。


During this four-day period, the threat actor was spotted interacting with 3,045 unique IP addresses that were associated with NETGEAR ProSAFEs (2,158), Cisco RV 320/325 (310), Axis IP cameras (29), DrayTek Vigor routers (17), and other unidentified devices (531).

在这四天的时间里,威胁行为者被发现与与NETGEAR ProSAFEs(2158)、Cisco RV 320/325(310)、Axis IP摄像机(29)、DrayTek Vigor路由器(17)和其他未经识别的设备(531)相关的3045个唯一IP地址进行交互。

Also observed in early December 2023 was a massive spike in exploitation attempts from the payload server, indicating the adversary's likely attempts to re-exploit the devices as they detected their infrastructure going offline. Lumen said it also took steps to null-route another set of backup servers that became operational around the same time.



It's worth noting that the operators of the KV-botnet are known to perform their own reconnaissance and targeting while also supporting multiple groups like Volt Typhoon. Interestingly, the timestamps associated with exploitation of the bots correlates to a certain country working hours.

值得注意的是,KV僵尸网络的运营商以其自己的侦察和定位而闻名,同时还支持像Volt Typhoon这样的多个组。有趣的是,与僵尸网络的利用时间戳相关的是某一区域的工作时间。

"Our telemetry indicates that there were administrative connections into the known payload servers from IP addresses associated with CT," Danny Adamitis, principal information security engineer at Black Lotus Labs, told The Hacker News.

"我们的遥测表明,存在与CT相关的IP地址从已知的载荷服务器中进行了管理连接,"Black Lotus Labs的首席信息安全工程师Danny Adamitis告诉The Hacker News。


What's more, the statement from the U.S. Justice Department described the botnet as controlled by "a certain country state-sponsored hackers."


This raises the possibility that the botnet "was created by an organization supporting the Volt Typhoon hackers; whereas if the botnet was created by Volt Typhoon, we suspect they would have said 'nation-state' actors," Adamitis added.

这引发了一个可能性,即该僵尸网络"是由支持Volt Typhoon黑客的组织创建的;而如果僵尸网络是由Volt Typhoon创建的,我们怀疑他们会说是'国家'行为者。"Adamitis补充道。

There are also signs that the threat actors established a third related-but-distinct botnet cluster dubbed x.sh as early as January 2023 that's composed of infected Cisco routers by deploying a web shell named "fys.sh," as highlighted by SecurityScorecard last month.

还有迹象表明,威胁行为者在2023年1月早些时候建立了一个第三个相关但独立的僵尸网络群集,该群集被称为x.sh,由感染的Cisco路由器组成,部署了一个名为"fys.sh"的Web shell,正如SecurityScorecard上个月所强调的。

But with KV-botnet being just "one form of infrastructure used by Volt Typhoon to obfuscate their activity," it's expected that the recent wave of actions will prompt the state-sponsored actors to presumably transition to another covert network in order to meet their strategic goals.

但考虑到KV僵尸网络只是Volt Typhoon用于混淆其活动的"基础设施的一种形式",预计最近的行动将促使这些国家赞助的行为者转向另一个秘密网络,以实现他们的战略目标。

"A significant percent of all networking equipment in use around the world is functioning perfectly well, but is no longer supported," English said. "End users have a difficult financial choice when a device reaches that point, and many aren't even aware that a router or firewall is at the end of its supported life.

"全球范围内使用的所有网络设备中,有相当大的一部分工作正常,但不再受支持,"Ryan English表示。"当设备达到这一点时,最好的选择是更换,但这并非总是可行的选择。"

"Advanced threat actors are well aware that this represents fertile ground for exploitation. Replacing unsupported devices is always the best choice, but not always feasible."


"Mitigation involves defenders adding their edge devices to the long list of those they already have to patch and update as often as available, rebooting devices and configuring EDR or SASE solutions where applicable, and keeping an eye on large data transfers out of the network. Geofencing is not a defense to rely on, when the threat actor can hop from a nearby point."



  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
  • 本文由 发表于 2024年2月8日14:50:09
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):


匿名网友 填写信息