The National Cyber Security Centre (NCSC) and the Digital Trust Center (DTC) have recently issued a warning about a large Chinese botnet that has infected over 200,000 devices worldwide, including several thousand in the Netherlands. This botnet consists of a wide range of Small Office/Home Office (SOHO) devices, such as internet modems, routers, and various Internet of Things (IoT) devices. The FBI, the Cyber National Mission Force (CNMF), and the National Security Agency (NSA) have discovered this botnet and issued advice to prevent further damage.
TL;DR
- Botnet Size: Over 200,000 devices globally, including several thousand in the Netherlands.
- Devices: Internet modems, routers, and IoT devices.
- Advice: Check and update SOHO equipment, and practice good basic hygiene.
- Relevance: Especially important for system administrators and security professionals.
Technical Details of the Botnet
The botnet exploits known vulnerabilities in SOHO equipment to infect them. The FBI has determined that the botnet is managed by IP addresses registered with China Unicom, a Chinese telecommunications company. These IP addresses have previously been used in other cyberattacks on American networks, carried out by cyber groups known as Flax Typhoon, RedJuliett, and Ethereal Panda.
Vulnerabilities and Exploitation
The cybercriminals use the Mirai malware family, which is specifically designed to infect IoT devices such as webcams, routers, and IP cameras. The Mirai malware was publicly shared online in 2016, after which various hackers developed their own versions of these botnets. This specific botnet uses customized Mirai malware to control the infected devices.
Botnet Management via ‘Sparrow’
The botnet is managed via a system called ‘Sparrow’, an application that allows cybercriminals to control infected devices and issue commands. Through this application, the criminals can launch DDoS attacks or add new devices to the botnet. In June 2024, Sparrow’s databases contained more than 1.2 million records of infected devices, of which 385,000 were from the United States.
Relevance for the Target Audience
For Red Teamers and Blue Teamers, this botnet is an important topic of research. It provides insight into the methods used by cybercriminals to exploit IoT devices. For SOC Analysts and Threat Intel Researchers, it is crucial to know and monitor the indicators of compromise (IoCs) of this botnet. System administrators should ensure that all devices are up-to-date and that unused services and ports are disabled.
Remediation Steps
- Updates: Install timely updates for all SOHO equipment.
- Network Segmentation: Install IoT devices on a separate network.
- Monitoring: Monitor network traffic for suspicious activities.
- Passwords: Use strong passwords and change default passwords.
Conclusion
The discovery of this botnet underscores the importance of good cyber hygiene and timely updating of equipment. Especially for system administrators and security professionals, it is of great importance to follow the recommendations of the NCSC and DTC to prevent further infections. It remains essential to stay alert to new threats and act proactively to increase digital resilience.
References
- [^1]: “Dutch Devices Part of Chinese Botnet”. NCSC. 18 September 2024.
- [^2]: “US Accuses Chinese Company of Massive Router and IoT Botnet”. Security.NL. 18 September 2024.
- [^3]: “China Hacks 2,700 Dutch IoT Devices”. Computable.nl. 19 September 2024.
- [^4]: “Thousands of Dutch Smart Devices Affected by Chinese Malware”. Veiliginternetten.nl. 19 September 2024.
