One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8580701 |
| Date de publication | 2024-09-20 17:30:25 (vue: 2024-09-20 18:18:15) |
| Titre | Chinese botnet infects 260,000 SOHO routers, IP cameras with malware |
| Texte | ## Snapshot Black Lotus Labs has discovered a large, multi-tiered botnet they refer to as Raptor Train, which is operated by the Chinese nation-state threat actors that Microsoft tracks as [Flax Typhoon](https://security.microsoft.com/intel-profiles/1d86849881abbb395d908d2739d9ad57e901d557fa8c25e0b3fd281e13764ff0). The botnet consists of small office/home office (SOHO) and IoT devices, and at its peak in June 2023, it consisted of over 60,000 actively compromised devices. ## Description Since June, there have been more than 200,000 SOHO routers, NVR/DVR devices, network attached storage (NAS) servers, and IP cameras, making it one of the largest Chinese state-sponsored IoT botnets discovered to-date. The botnet operators manage this large and varied network through a series of distributed payload and C2 servers, a centralized Node.js backend, and a cross-platform Electron application front-end that the actors have dubbed “Sparrow.” The botnet has targeted entities in the U.S. and Taiwan across various sectors, including military, government, higher education, telecommunications, defense industrial base, and IT. The Raptor Train botnet is a complex, multi-tiered network that has been evolving over the last four years. Black Lotus Labs has observed at least three tiers of activity, and several categories within each tier. During operations, bot tasks are initiated from Tier 3 “Sparrow” management nodes, which are then routed through the appropriate Tier 2 C2s and then sent to the bots themselves in Tier 1. The primary implant seen on most of the Tier 1 nodes, which Black Lotus Labs calls “Nosedive”, is a custom variation of the Mirai implant that is supported on all major SOHO and IoT architectures. ## Microsoft Analysis The actor Microsoft tracks as [Flax Typhoon](https://security.microsoft.com/intel-profiles/1d86849881abbb395d908d2739d9ad57e901d557fa8c25e0b3fd281e13764ff0) is a nation-state group from China, active since mid-2021. Flax Typhoon primarily targets sectors in Taiwan such as government, education, critical manufacturing, and IT, with occasional activities observed in Southeast Asia, North America, and Africa. Microsoft has [previously identified](https://security.microsoft.com/intel-explorer/articles/3a50641d) a pattern of malicious activity by Flax Typhoon targeting Taiwanese organizations and predicted that the techniques used could potentially be used globally. Their operations aim to infiltrate and maintain long-term access within targeted industries for ongoing espionage. ## Recommendations **Microsoft recommends the following mitigations to reduce the impact of botnets.** - [Restrict automatic prompts](https://support.microsoft.com/en-us/windows/automatic-file-download-notifications-in-windows-dc73c9c9-1b4c-a8b7-8d8b-b471736bb5a0) for non-user-initiated file downloads. - [Enable Safe Links](https://learn.microsoft.com/en-us/powershell/module/exchange/enable-safelinksrule?view=exchange-ps) protection for links in email messages. - [Enable Safe Attachments](https://learn.microsoft.com/en-us/powershell/module/exchange/set-safeattachmentrule?view=exchange-ps) in block mode. - Enable [Zero-hour auto purge (ZAP)](https://learn.microsoft.com/en-us/defender-office-365/zero-hour-auto-purge) in Office 365 to quarantine sent mail in response to newly-acquired threat intelligence and retroactively neutralize malicious phishing, spam, or malware messages that have already been delivered to mailboxes. - Run endpoint detection and response [(EDR) in block mode](https://learn.microsoft.com/en-us/defender-endpoint/edr-in-block-mode) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running ;in passive mode. **Mitigation and protection guidance** Defending against techniques used by Flax Typhoon begins with vulnerability and patch management, particularly on systems and services exposed to the public internet. |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | **© **defending **investigating **microsoft **mitigation **what 000 04ac 075 10/security/threat 1b4c 200 2014 2021 2023 2024 2024** 22h2 260 365 365/zero 52aa 8d8b 911 93434251 9f951c14b649 ;in a8b7 access accessed accounts acquired across actions active actively activities activity actor actors addition additional administrator administrators advisory affected affected** africa against aim alerts all allows already also alters america analysis antivirus any application appropriate architectures are artifacts asia assess associated attached attachments attack attacker attacks** attacks/ audit authentication authenticator authority auto automatic b471736bb5a0 b7f3 backend base based because been begins behavior behavioral behaviors behind better black bleeping bleepingcomputer block bot botnet botnets bots business but c2s calls cameras can categories centralized certain change changes check china chinese close cloud code com/derailing com/en com/intel com/news/security/flax commands compatibility complex compromise compromised computer configuration considered consisted consists content copyright could cover creations credential credentials critical cross custom customers data date dc73c9c9 deactivating decommissioned default defend defender defending defense delivered depending deploy derailing description detect detected detection devices discovered dismantles distributed distribution does download downloads dubbed dumping during each edition edr education electron email enable enabled enabling end endpoint endpoint/attack endpoint/configure endpoint/edr endpoint/overview enforcing ensure enterprise entities espionage even events evolving examine examined example exe exhibited experience expiration explorer/articles/3a50641d explorer/articles/b6de1a87 exposed facing fbi feature fido2 file find firewalls first flax following forensically four from front generate globally good government group guard guard/configure guidance** hackers harden hardening hardware has have hello help higher hour howtoconfigure https://blog https://learn https://security https://support https://www hvci hypervisor identified identify impact implant improve including industrial industries infect infects infiltrate infrastructure initiated input installs integrity intelligence internet intrusion iot isolated issues its joined june keep kept keys known labs laps large largest last lateral latest learndoc least legitimate level light like links local logs long lotus lsa lsass lumen made mail mailboxes maintain major making malicious malware malware/ manage management management/configuring manufacturing many may memory messages method methods mfa microsoft mid military mirai mitigate mitigated mitigations mode modified monitor monitoring more most movement ms16 multi multifactor nas nation need network neutralize new newly node nodes non north not notifications now nvr/dvr object observed occasional ocid=magicti office office/home one ongoing operated operating operations operators organization organizations originating other over overview part particularly passive password passwordless passwords patch patches pattern payload peak permission phishing platform policies policy post potentially ppl predicted prevent preventing previously primarily primary prime pro/windows process produce profiles/1d86849881abbb395d908d2739d9ad57e901d557fa8c25e0b3fd281e13764ff0 prohibited prompts proper protected protection protection#bkmk protection/auditing/audit protection/credential protections protective proxy psexec public purge purpose purposes quarantine quietly randomize rapidly raptor rdp recommendations recommends reduce reduction refer reference#block references referred registry remediate remove reproduction reserved response restored restrict retroactively rights risk routed routers rule rules run running safe safeattachmentrule safelinksrule sam scale scenes sectors secure security security/enable seen sent series server server/identity/laps/laps server/security/credentials servers service services set several shared should sight sign signs since |
| Tags | Spam Malware Tool Vulnerability Threat Industrial |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.