NCSC and partners issue advice to counter China-linked campaign targeting thousands of devices
The UK and international allies are urging individuals and organisations to take protective action after exposing a global network of compromised internet-connected devices operated by a China-linked company and used for malicious purposes.
The National Cyber Security Centre (NCSC) – a part of GCHQ – has today (Wednesday) issued a new advisory alongside partners in the United States, Australia, Canada, and New Zealand which reveals how a company based in China with links to China’s government has managed a botnet consisting of over 260,000 compromised devices around the world.
A botnet is a network of internet-connected devices that are infected with malware and controlled by a group to conduct co-ordinated cyber attacks without the owners’ knowledge.
The compromised devices include routers, firewalls, and Internet of Things (IoT) devices – including webcams and CCTV cameras – which can then be used by the actors for a variety of malicious purposes, such as anonymous malware delivery and distributed denial of service (DDoS) attacks.
The advisory names Integrity Technology Group as responsible for controlling and managing the botnet, which has been active since mid-2021, and has been utilised by the malicious cyber actor commonly known as Flax Typhoon.
The advisory shares technical details and mitigation advice to help defend against malicious activity delivered through this botnet. It also highlights the risk to owners of how unpatched and end-of-life equipment can be exploited by malicious cyber actors.
Paul Chichester, NCSC Director of Operations, said:
“Botnet operations represent a significant threat to the UK by exploiting vulnerabilities in everyday internet-connected devices with the potential to carry out large-scale cyber attacks.
“Whilst the majority of botnets are used to conduct co-ordinated DDoS attacks, we know that some also have the ability to steal sensitive information.
“That’s why the NCSC, along with our partners in Five Eyes countries, is strongly encouraging organisations and individuals to act on the guidance set out in this advisory – which includes applying updates to internet-connected devices – to help prevent their devices from joining a botnet.”
As with similar botnets, the botnet described in this advisory is composed of a network of devices, known as bots, which are infected with a type of malware that provides threat actors with unauthorised remote access.
To recruit a new ‘bot’, the botnet system first compromised an internet-connected device using a known vulnerability exploit which then provides access to establish a remote command and control execution.
This advisory has been co-sealed by the NCSC and agencies in the United States, Australia, Canada, and New Zealand.
Technical Info
The botnet uses the Mirai family of malware, designed to hijack IoT devices such as webcams, DVRs, IP cameras, and routers running Linux-based operating systems. The Mirai source code was posted publicly on the Internet in 2016, resulting in other hackers creating their own botnets based on the malware. Since
that time, various Mirai botnets have been used to conduct DDoS and other malicious activities against victim entities within the United States.
The investigated botnet’s customized Mirai malware is a component of a system that automates the compromise of a variety of devices. To recruit a new “bot,” the botnet system first compromises an Internet-connected device using one of a variety of known vulnerability exploits (see Appendix B: Observed CVEs). Post-compromise, the victim device executes a Mirai-based malware payload from a remote server.
Once executed, the payload starts processes on the device to establish a connection with a command-andcontrol (C2) server using Transport Layer Security (TLS) on port 443. The processes gather system information from the infected device, including but not limited to the operating system version and processor, memory and bandwidth details to send to the C2 server for enumeration purposes. The malware also makes requests to “c.speedtest.net,” likely to gather additional Internet connection details. Some malware payloads were self-deleting to evade detection.
A variety of subdomains of “w8510.com” were linked to the botnet’s C2 servers. As of September 2024, investigators identified over 80 subdomains associated with w8510.com
I am one of the editors here at www.systemtek.co.uk I am a UK based technology professional, with an interest in computer security and telecoms.