A recent cybersecurity advisory issued by the FBI, the Cyber National Mission Force, and the National Security Agency reveals concerning activities from the Flax Typhoon threat group. This cybercriminal organization has successfully infiltrated over 260,000 Small Office/Home Office (SOHO) routers, firewalls, network-attached storage, and Internet of Things (IoT) devices, constructing a botnet capable of executing Distributed Denial of Service (DDoS) attacks and targeted assaults on U.S. networks.
Who is Flax Typhoon?
Flax Typhoon, also referred to as RedJuliett and Ethereal Panda, is a China-based threat actor that has been active since at least mid-2021, as reported by Microsoft. The group has focused its cyberespionage efforts on organizations in Taiwan and has extended its reach to victims in Southeast Asia, North America, and Africa. According to the FBI advisory, Flax Typhoon operates under a Chinese company named Integrity Tech, which is believed to have ties to the Chinese government.
The group has been managing its botnet using multiple IP addresses from the Chinese provider China Unicom Beijing Province. These addresses have also been utilized to access other operational infrastructures involved in cyber intrusions targeting U.S. entities. Recent reports indicate that China-based threat actors have increasingly targeted businesses and governmental organizations around the globe.
The “Raptor Train” Botnet
Black Lotus Labs, the threat intelligence division of Lumen, has reported on Flax Typhoon’s exploitation of SOHO routers and additional devices. They have identified the botnet formed from this activity as “Raptor Train,” which they have been tracking for the past four years. Devices affected by this botnet have been compromised by a variant of the notorious Mirai malware family, known for its adaptability, allowing cybercriminals to modify its code for various malicious uses.
In the malware variant highlighted by the FBI, exploitation of known vulnerabilities automates the compromise of different devices. The oldest vulnerabilities exploited date back to 2015, while the latest instance occurred in July 2024. Once compromised, these devices relay system and network information back to an attacker-controlled command and control (C2) server. As of September 2024, over 80 subdomains associated with the botnet were linked to a w8510.com domain.
Scope of Infection
As of June 2024, management servers running the front-end software “Sparrow,” which the attackers utilized to regulate compromised devices, contained more than 1.2 million records. This included over 385,000 unique devices located in the U.S. A review of infected devices in June revealed that nearly half (47.9%) were positioned in the U.S., followed by Vietnam (8%) and Germany (7.2%).
More than 50 Linux systems were breached, varying from unsupported and outdated versions to currently supported versions with Linux Kernel versions ranging from 2.6 to 5.4. The Sparrow interface enabled the threat actors to not only list compromised devices but also manage vulnerabilities, execute remote commands, upload/download files, and orchestrate large-scale IoT-based DDoS attacks.
The compromised devices include a variety of brands, such as ASUS, TP-LINK, and Zyxel routers, as well as IP cameras from manufacturers like D-LINK, Hikvision, Mobotix, NUUO, AXIS, and Panasonic. Network-attached storage (NAS) systems from QNAP, Synology, Fujitsu, and Zyxel were also targeted.
Notably, FBI Director Christopher Wray announced during the 2024 Aspen Cyber Summit that a court authorization allowed the FBI to command the removal of malware from the affected devices.
Recommendations for Businesses
To guard against the Flax Typhoon threat, the FBI recommends the following actions be taken immediately:
- Disable Unused Services and Ports: Turn off services like Universal Plug and Play (UPnP) and file sharing if not in use to prevent abuse by attackers.
- Implement Network Segmentation: Ensure IoT devices are segregated to minimize risk, adhering to the principle of least privilege so devices can only perform intended actions.
- Monitor Network Traffic: Stay vigilant for unusual traffic patterns that could indicate DDoS attacks.
- Deploy Regular Patches and Updates: Keep all operating systems, software, and firmware updated to remediate existing vulnerabilities.
- Strengthen Device Passwords: Replace default passwords with strong, unique credentials to prevent attackers from gaining easy access.
The FBI also advises businesses to plan for routine device reboots to eliminate any fileless malware that may be operating in memory, and to consider replacing outdated equipment that is no longer supported.
Disclosure: I am employed by Trend Micro, but the opinions expressed in this article are solely my own.
