A new joint cybersecurity advisory from the Federal Bureau of Investigation, the National Cyber Mission Force, and the National Security Agency exposes new activity by the Flax Typhoon threat actor.
Cyberattackers have compromised more than 260,000 small office and home office (SOHO) routers, firewalls, network-attached storage and Internet of Things devices to create a botnet capable of launching distributed denial of service attacks or targeted attacks on U.S. networks.
Who is Flax Typhoon?
According to Microsoft, Flax Typhoon, also known as RedJuliett and Ethereal Panda, is a China-based threat actor that has been active since at least mid-2021. The tech giant reported that Flax Typhoon has targeted organizations based in Taiwan, as well as other victims in Southeast Asia, North America, and Africa, for cyber espionage purposes.
According to the FBI's joint report, the group supports a China-based company called Integrity Tech, which has ties to the Chinese government.
Flax Typhoon has used several different IP addresses from the Chinese vendor China Unicom Beijing Province to control and manage the botnet. The group has also leveraged these addresses to access other operational infrastructure used in cyber intrusion operations targeting US entities.
Other reports show that China-based threat actors have targeted businesses and governments around the world in recent years.
SEE: Why your company needs cybersecurity awareness training (TechRepublic Premium)
'Raptor Train' botnet
Black Lotus Labs, the threat intelligence team at cybersecurity firm Lumen, published a report on how Flax Typhoon compromised SOHO routers and other devices. They named the botnet resulting from that activity “Raptor Train” and have been tracking it for four years.
The affected devices have been compromised by a variant of the infamous Mirai malware family, making it a weapon of choice for any cybercriminal looking to compromise IoT devices as they could easily modify the code to suit their purpose.
In the variant observed by the FBI, the malware automates the breach of multiple devices by exploiting known vulnerabilities. The oldest exploited vulnerabilities date back to 2015, while the most recent occurred in July 2024. Once breached, the device sends system and network information to a C2 server controlled by the attacker.
As of September 2024, more than 80 subdomains of the w8510.com domain were associated with the botnet.
Nearly half of the affected devices are located in the US.
As of June 2024, management servers running front-end software called “Sparrow,” which allowed attackers to control compromised devices, contained more than 1.2 million records. This includes more than 385,000 unique devices in the US.
A count of infected devices conducted in June 2024 revealed that almost half (47.9%) of infected devices were located in the US, followed by Vietnam (8%) and Germany (7.2%).
More than 50 Linux systems were compromised, ranging from outdated and unsupported versions to currently supported versions, running Linux kernel versions from 2.6 to 5.4.
The Sparrow interface allowed the threat actor to not only enumerate compromised devices, but also manage vulnerabilities and exploits, upload or download files, execute remote commands, and scale IoT-based DDoS attacks.
The devices affected by the botnet are from many brands, including routers from ASUS, TP-LINK, and Zyxel. IP cameras were also affected, such as those from D-LINK DCS, Hikvision, Mobotix, NUUO, AXIS, and Panasonic. NAS from QNAP, Synology, Fujitsu, and Zyxel were also affected.
FBI Director Christopher Wray announced in a keynote address at the 2024 Aspen Cyber Summit that a court order allowed the FBI to issue warrants to remove malware from infected devices.
How can companies protect themselves from the flax typhoon?
The FBI recommends that the following actions be taken quickly:
- Disable unused services and ports on routers and IoT devices. Attackers can abuse services such as Universal Plug And Play or file sharing services, so all services should be disabled if they are not needed.
- Network segmentation should be implemented to ensure that IoT devices do not present an increased risk of vulnerability. The principle of least privilege should be applied so that devices can only perform their intended function.
- Monitor high volumes of network traffic. Organizations must prepare for abnormal traffic volumes that could be subject to DDoS attacks.
- Implement patches and updates for all operating systems, software, and firmware. Regular patching mitigates vulnerability exploitation.
- Replace default device passwords with stronger ones so that an attacker cannot simply log in with the default credentials.
The federal agency also suggested that companies schedule device resets (to remove fileless malware that can run in memory) and replace end-of-life devices with compatible ones.
Divulgation: I work for Trend Micro, but the opinions expressed in this article are my own.