A recent report from SecurityScorecard reveals that a Chinese state hacking group known as “Volt Typhoon” is actively targeting government entities in the United States, the United Kingdom, and Australia. The cyberespionage hackers are exploiting vulnerabilities disclosed in early 2019 to compromise Cisco RV320 and RV325 small office and home office routers.
Key Findings:
- Over 37 days, Volt Typhoon compromised nearly one-third of vulnerable Cisco routers.
- The hacking group, also referred to as Bronze Silhouette, is developing new infrastructure, indicating preparation for renewed activity.
- Infected routers have been observed contacting IP addresses not previously associated with Volt Typhoon.
Cisco’s Response and Discontinuation:
In 2019, Cisco released patches for the vulnerability (CVE-2019-1653) exploited by Volt Typhoon. However, the hacking group likely found that the original patch did not resolve the issue. Cisco discontinued the affected routers in January 2020, ceasing new sales, and stopped issuing firmware updates for new vulnerabilities a year later.
Small office and home office (SOHO) routers are attractive targets for hackers due to owners’ reluctance to install updates. A 2018 survey in the UK revealed that 86% of respondents never updated their firmware, with 82% continuing to use the preconfigured admin password.
Microsoft’s Warning and Identification:
Microsoft identified Volt Typhoon in March 2023, warning that the hacking group targets critical infrastructure in Guam and the United States. The threat actor employs compromised routers to proxy internet traffic, enhancing its ability to evade detection.
Indicators of Compromise:
- Presence of the web shell “fy.sh” on compromised routers.
- The web shell is retrieved and executed from a payload server that went offline recently.
SecurityScorecard notes that while there are no publicly available examples of the “fy.sh” web shell, two unrelated files with the same name appear on VirusTotal. In December, Lumen’s Black Lotus Labs identified Volt Typhoon activity, revealing the use of Netgear ProSafe firewalls as relay nodes during the cyberespionage campaign from July 2022 to February 2023.
Continued Threat Landscape:
As the cybersecurity community grapples with the ongoing revelations of Chinese hacking activities, it is evident that security appliance and router manufacturers, along with Microsoft, find themselves in a persistent struggle against Beijing in the zero-day contest.
FBI Director Christopher Wray emphasized the scale of China’s hacking program, stating in September that “China already has a bigger hacking program than every other major nation combined.”
Web Shell Indicator – “fy.sh”:
A distinctive indicator of a Volt Typhoon compromise on a router is the presence of a previously unspecified web shell known as “fy.sh.” Infected routers retrieve and execute this web shell from a payload server that has been offline since Monday.
SecurityScorecard acknowledges that publicly available examples of the “fy.sh” web shell have not been found. However, two files with the same name on VirusTotal appear unrelated to the Volt Typhoon campaign.
Recent Activities and Tactics:
Recent activities of Volt Typhoon involve the use of Netgear ProSafe firewalls as relay nodes. Lumen’s Black Lotus Labs discovered that these firewalls were utilized between July 2022 and February 2023 to act as relays for networks compromised by the Chinese state hackers, showcasing the adaptability and evolving tactics of Volt Typhoon.
The threat actor’s ability to proxy internet traffic through compromised routers further underscores its commitment to remaining covert and increasing the difficulty of detection, particularly as it targets critical infrastructure in Guam, home to major American military bases.