Reveal of Chinese-controlled botnet is another warning to CISOs to keep up with asset and patch management

A Chinese-controlled botnet of tens of thousands of unpatched internet-connected firewalls, network attached storage devices, internet-connected surveillance cameras, and small office/home office routers has been revealed by the cyber agencies of the Five Eyes alliance: the US, the UK, Canada, Australia, and New Zealand.

In addition, the US said it got a court order to take down the botnet.

The report, released Wednesday, says the Chinese government-linked Integrity Technology Group (Integrity Tech) has compromised devices in North and South America, Europe, Africa, Southeast Asia, and Australia.

It comes with a warning to CISOs, as well as to vendors, to implement more thorough patch management, to protect their devices from being taken over.

Included in the Integrity Tech botnet are unpatched devices from enterprise hardware manufacturers such as Cisco Systems (its Small Business series routers and Adaptive Security Appliances), Fortinet, and QNAP, as well as applications from software makers like Microsoft (Windows), IBM (Tivoli and WebSphere Application Server), Atlassian (Confluence Data Center and Server), and Apache (applications with the Log4j2 logging code).

The devices are largely being compromised through unpatched vulnerabilities. A number of experts have previously reported that network devices are being compromised because they no longer get security patches from their manufacturers. In fact, this report notes that some devices and applications in the bot stopped getting manufacturer support as far back as 2016, and some affected devices were running Linux kernels as early as version 2.6, whose support ended in 2011.

But the report also notes that many of the compromised devices in the Integrity Tech-controlled botnet are likely still supported by their vendors.

David Shipley, head of Canadian security awareness training provider Beauceron Security, said in an interview that the report shows the need for more jurisdictions to follow the lead of the European Union’s Cyber Resilience Act. It puts cybersecurity requirements on manufacturers of products that connect to the internet.

Ideally, any internet-connected device should be automatically patched, he said. And, he added, firmware of hardware devices like routers and switches should include code defining when they come to end-of-life and automatically issue a warning to administrators when that date approaches – and when it passes, the device turns off.

“Some might argue that introduces a vulnerability,” he admitted, “but if we’re talking about the growing societal risk of unpatched devices, I think the trade-off is worth it.”

The Integrity Tech botnet has varied in size since 2021, the report says. As of June, it linked to over 260,000 devices – and almost half of them were located in the US

The exposure of this botnet is the latest effort to disrupt or dismantle networks of compromised devices. In May, the US and other cyber agencies took apart the 911 S5 botnet that had infected computers in nearly 200 countries. Their hijacked IP addresses were used to create a proxy service cyber crooks could use to hide their online criminal activity.

The Integrity Tech botnet uses the Mirai family of malware to hijack IoT devices running Linux-based operating systems, such as webcams, DVRs, IP cameras, and routers.

 A brief history of botnets 

The Mirai source code was posted publicly on the internet in 2016, resulting in other hackers creating their own botnets based on the malware. Since then, several Mirai botnets have been used to conduct distributed denial of service attacks (DDoS) and other malicious activities, says the report.

It says Integrity Tech has used China Unicom Beijing Province Network IP addresses to control and manage the botnet.

In addition to managing the botnet, these same China Unicom Beijing Province Network IP addresses were used to access other operational infrastructure employed in computer intrusion activities against US victims, the report says. According to the FBI, this activity is consistent with the tactics, techniques, and infrastructure associated with the cyber threat group known by other researchers as Flax Typhoon, RedJuliett, and Ethereal Panda.

Raptor Train botnet

Also on Wednesday, researchers at Lumen Technologies released their report on Flax Typhoon. They dubbed the botnet Raptor Train; it has similar characteristics to the Integrity Tech botnet and is a network of tens of thousands of compromised devices.

This report says the botnet has targeted organizations in the US and Taiwan, including military, government, higher education, telecommunications, defense industrial base, and information technology (IT) sectors. In addition, the Lumen researchers have seen possible exploitation attempts against Atlassian Confluence servers and Ivanti Connect Secure appliances that have sprung from nodes associated with this botnet. 

The Lumen report contains details about the botnet’s tiers and campaigns.

Goldoon botnet

In another example of a threat actor taking advantage of unpatched devices, earlier this year Fortinet reported on a new botnet of compromised D-Link routers that hadn’t been patched for a 2015 vulnerability.

Mitigation recommendations

The FBI recommends network defenders:

• Replace end-of-life equipment with devices that are supported by manufacturers;
• Apply patches and updates, including software and firmware updates;
• Disable unused services and ports, such as automatic configuration, remote access, or file sharing protocols. Routers and IoT devices may provide features such as Universal Plug and Play (UPnP), remote management options, and file sharing services, which threat actors may abuse to gain initial access or to spread malware to other networked devices. Disable these features if not needed;
• Implement network segmentation to ensure IoT devices within a larger network pose known, limited, and tolerable risks. Use the principle of least privilege to provide devices with just enough connectivity to perform their intended function;
• Monitor for abnormally high network traffic volume;
• Replace default passwords with strong passwords. Many IoT products implement a device administration password in addition to other account passwords. Ensure all passwords are changed from their defaults, using a strong password policy. If possible, disable password hints;
• Plan for device reboots. Rebooting a device terminates all running processes, which may remove specific types of malware, such as “fileless” malware that runs in the host’s memory.