2,400 Australian devices are part of a Chinese botnet disrupted by the FBI

US Treasury Department sanctions Chinese company for ransomware attacks

The FBI has focused on a botnet that infects more than 260,000 devices worldwide and is operated by a Chinese company and targets entities in the United States and Taiwan.

The United States Department of Justice (DOJ) has announced the successful disruption of a botnet run by a Chinese company linked to the government of the People’s Republic of China.

The Justice Department reported the disruption operations on September 18 after court documents detailing the operations were unsealed that same day.

At the same time, the Australian Cyber ​​Security Center (ACSC) of the Australian Signals Directorate, together with US agencies and other Five Eyes nations, published an advisory about the botnet operated by the Chinese company Integrity Technology Group.

The botnet, which had infected more than 260,000 devices worldwide, including 2,400 in Australia, ran on infected IoT devices, SOHO network devices, firewalls and NAS devices.

According to Lumen’s Black Lotus Labs cybersecurity research team, which assisted US authorities, the botnet was connected to a network of distributed servers and command and control infrastructure. Researchers are not aware of any distributed denial of service (DDoS) attacks coming from the network, although it was well positioned to launch such an attack.

The Justice Department said, however, that a failed DDoS was launched against the FBI’s infrastructure while it was in the process of disrupting the network.

Lumen confirmed, however, that some activities on the network targeted military, educational, defense and government entities in both Taiwan and the United States.

The FBI was able to take control of the botnet’s C2 infrastructure and disable the botnet malware on infected devices using highly tested remote commands. The operation of the infected devices was not affected and the FBI has not collected any other data from those devices.

“Our takedown of this state-sponsored botnet reflects the department’s all-tools approach to disrupting cybercriminals. “This network, run by a PRC government contractor, hijacked hundreds of thousands of private routers, cameras and other consumer devices to create a malicious system that the PRC could exploit,” said Deputy Attorney General Lisa Monaco. in a statement.

“Today should serve as a warning to cybercriminals who prey on Americans: If you keep coming after us, we’ll come after you.”

Australia’s national cybersecurity coordinator, Lieutenant General Michelle McGuinness, also commented on the takedown.

“These actors have compromised a variety of Internet-connected devices to create a network (or ‘botnet’) primed for malicious activity. This includes the deployment of distributed denial of service (DDoS) attacks and targeted network infiltration,” said LTGEN McGuinness.

“Organizations and individuals should update device firmware, replace end-of-life equipment, and implement network segmentation to mitigate risks.”

As the ACSC advisory notes, the botnet used Mirai malware and took advantage of hardware that was no longer at the end of its useful life. The infected devices included hardware with known vulnerabilities from Fortinet, QNAP, Ivanti, DrayTek, and Netgear, among others.

Also on the list were Telstra’s older Smart Modem Gen 2 devices.

For a complete list of indicators of compromised and affected devices, you can read the ACSC advisory here.

Leave a Reply

Your email address will not be published. Required fields are marked *