Volt Typhoon Targets Legacy Cisco Routers in New Campaign

Summary

A Chinese-state-backed hacking group is targeting legacy devices, primarily Cisco routers, to expand its attack infrastructure in a new campaign that marks a notable strategic shift in its threat activity. Volt Typhoon, an emerging advanced persistent threat (APT) group identified last year, is exploiting two known vulnerabilities, CVE-2019-1653 and CVE-2019-1652, to compromise Cisco RV320/325 routers that were discontinued in 2019. Neither vulnerability has a patch available. In its latest campaign, the threat group is leveraging a botnet  of compromised small office/home office (SOHO) devices linked to previous attacks attributed to Volt Typhoon. Notably, Volt Typhoon’s botnet infrastructure communicated with 27 IP addresses that host 69 sites belonging to government entities in the United States, the United Kingdom, and Australia.

New Indicators of Compromise (IOCs) and Shifting Tactics

SecurityScorecard’s STRIKE team released a report detailing their research into the group’s latest campaign after discovering that the group compromised approximately 30 percent of the Cisco RV320-325 routers observed by the team over a 37-day period. Of the 1,116 target devices analyzed, the team identified 325 devices communicating with two IP addresses of known proxies used by Volt Typhoon actors. The threat group is also deploying a custom web shell to maintain access to the compromised devices, which can be identified by the filename “fy.sh.”

Additionally, the STRIKE team uncovered multiple new IP addresses potentially linked to their activity, providing further evidence of the threat group’s intent to develop new attack infrastructure:

45.63.60[.]39 45.32.174[.]131 82.117.159[.]158 46.10.197[.]206 176.102.35[.]175 93.62.0[.]77 194.50.159[.]3 80.64.80[.]169 24.212.225[.]54 208.97.106[.]10 70.60.30[.]222 184.67.141[.]110

89.203.140[.]246 94.125.218[.]19 183.82.110[.]178 117.239.157[.]74 210.212.224[.]124 49.204.75[.]92 61.2.141[.]161 49.204.75[.]90 114.143.222[.]242 117.211.166[.]22 49.204.65[.]90 49.204.73[.]250

While Volt Typhoon continues to target SOHO devices, which are better for concealing malicious traffic, the group has shifted towards targeting legacy systems. The targeted Cisco routers are currently impacted by 35 vulnerabilities that may be left unaddressed. This tactic represents a significant shift, as focusing on end-of-life devices requires knowledge of older systems and associated vulnerabilities, which may not be widely known.

Recommendations

The NJCCIC advises organizations to upgrade Cisco RV320/325 routers and other end-of-life devices where possible, patch vulnerable devices against known vulnerabilities, employ a defense-in-depth cybersecurity strategy, and continuously monitor networks to identify suspicious activity. Follow cybersecurity best practices and run intrusion detection systems, as well as endpoint detection and response tools. Additional information can be found in SecurityScorecard’s full report, including newly identified IoCs and artifacts associated with Volt Typhoon’s threat activity.