Reimagining Cyber - real world perspectives on cybersecurity
Explore the critical intersection of cybersecurity and business impact while gaining insights into CISO priorities with "Reimagining Cyber." Stay informed on the latest cybersecurity news, trends, and solutions tailored for today's CISOs and CIOs. Hosted by Rob Aragao a seasoned security strategist with CyberRes, this podcast is your go-to resource for staying updated on cybersecurity developments and addressing common challenges in the rapidly evolving digital landscape.
Reimagining Cyber - real world perspectives on cybersecurity
U.S. Disrupts China-Linked Botnet: What's Going On? - Ep 116
In this episode, Rob Aragao talks about a recent joint cybersecurity advisory highlighting People's Republic of China-linked actors compromising routers and IoT devices for botnet operations. The advisory points to over 260,000 IoT devices, impacted by a botnet called Raptor Train.
It’s being alleged that Integrity Technology Group (Integrity Tech) are behind the incident. The report says
“[Integrity Technology Group is a] company based in the PRC with links to the PRC government. Integrity Tech has used China Unicom Beijing Province Network IP addresses to control and manage the botnet described in this advisory. In addition to managing the botnet, these same China Unicom Beijing Province Network IP addresses were used to access other operational infrastructure employed in computer intrusion activities against U.S. victims. FBI has engaged with multiple U.S. victims of these computer intrusions and found activity consistent with the tactics, techniques, and infrastructure associated with the cyber threat group known publicly as Flax Typhoon, RedJuliett, and Ethereal Panda.”
Detected by Lumen’s Black Lotus Labs, the advisory was issued by the FBI, NSA, and Cyber National Mission Force.
Rob explains that the botnet leverages code from the notorious Mirai malware, designed to exploit IoT devices running Linux-based systems, which has been in circulation for nearly a decade. He breaks down the architecture of the botnet, including its three-tier structure, and the role of compromised IoT devices, command-and-control servers, and management layers.
Additionally, the discussion explores China's growing focus on cybersecurity talent recruitment, including the Matrix Cup, a hacking competition co-sponsored by Integrity Technology Group. The episode also offers recommendations for mitigating IoT device vulnerabilities, such as strong password management, patch updates, and network segmentation.
Don't forget to rate, review, and subscribe to stay updated on future episodes!
Follow or subscribe to the show on your preferred podcast platform.
Share the show with others in the cybersecurity world.
Get in touch via reimaginingcyber@gmail.com
[00:00:00] Producer Ben: Hello, this is Ben, producer of Reimagining Cyber, and regular Nistlers will know that every once in a while, I get to quiz the show's host, Rob Orego, about recent developments in the cyber security world. This is how it works. Rob sends me a story. He says, I want to talk about this, that, whatever. I say yes, and then the magic starts.
[00:00:27] So that's a bit of a peep behind the curtains of our production process. And this week, Rob pointed me towards a joint cyber security advisory, the headline being People's Republic of China linked actors compromise routers and IOT devices for botnet operations. So Rob, that is it. A very dry headline, if you ask me, and they've really done their best to suck the drama out of this.
[00:00:55] It wouldn't really make it into a Hollywood marketing campaign, but you're gonna breathe some life into it because it is kind of a big deal. First of all, how are you doing, Rob? Are you ready for this?
[00:01:06] Rob Aragao: I'm ready for it. How are you doing?
[00:01:08] Producer Ben: Yeah, not bad at all. So come on, what's going on here?
[00:01:12] Rob Aragao: So what's going on here, Ben?
[00:01:13] Let's try to make it a little bit more interesting than the advisory title. Okay. That was released on September 18th. So in essence, there was over 260, 000 IOT devices that are being impacted by this, um, botnet. And the, the tieback is actually to a group coming out of China. I know you're shocked by that, Ben, uh, called Flax Typhoon.
[00:01:37] Uh, what's interesting about Flax Typhoon as well is that they were actually typically attributed towards attacks. Uh, within Taiwanese organizations. So this is kind of, you know, an interesting, we'll get more into the kind of the scope globally as to the impact of this. Um, but the botnet is referred to as Raptor Train.
[00:01:54] And it was actually detected by Lumen's Black Lotus Labs. And Lumen, for those that are not familiar, Lumen is a large telecommunications company based here in the US. So again, within their cyber operations, Black Lotus Labs is the group that has been watching and monitoring this for some time and then came out, um, again with the report, a very detailed report, by the way, we can link that in the show notes as to their findings.
[00:02:17] Uh, and, and this is what's led toward the actual release on the 18th by the government on a joint. So we'll get into that in a little bit. Now, people are going to be like, hey, listen, what's, what's really behind the scenes? What's happening here? Here's the interesting thing. What's really behind the scenes?
[00:02:33] What's happening here? Here's the interesting thing. We're talking about this malware that has been out in the wild for close to 10 years. So this goes back to, um, the Mirai family of malware that was designed to basically hijack IT devices that run the Linux based operating system. And that came out in 2016.
[00:02:52] And so when it came out in 2016, made public, um, many people jumped on that, uh, you know, quote unquote, the bad guys. And, um, many different attacks started happening targeting IOT devices, such as it'd be small office, home office type devices, you know, the routers that you were mentioning, DVR devices, uh, network attached storage systems, uh, cameras, webcams, all of this, right?
[00:03:14] So anything, think about this is what I always say. If it's connected. It's vulnerable. Period. Right? And so, again, this is what's behind it, is actually taking advantage of code that's been out there for, again, as I mentioned, close to 10 years. So, who's behind all of this? And then the advisory calls out, and this advisory, by the way, jointly was released from the FBI.
[00:03:36] NSA and the uh, CNMF, for those that don't know CNMF, that's actually the Cyber National Mission Force. So they're, they're tied into obviously what's happening here specifically as well. And they're calling out the Integrity Technology Group, which is behind the scenes, a nation state sponsor within China.
[00:03:55] But
[00:03:56] Producer Ben: the name sounds so lovely. Integrity. Integrity Technology Group. Doesn't they've got integrity. You've
[00:04:01] Rob Aragao: heard integrity. Now you came across interesting findings about these guys, didn't you?
[00:04:06] Producer Ben: I did, yeah, um, like you say they've been linked to Flax Typhoon, but um, They've recently been sponsoring an event called the Matrix Cup It's a, it's a Chinese hacking competition in actual fact, and it plays a major role within the country's Talent identification and development ecosystem.
[00:04:29] I saw a few reports and here are a couple of different ones. The Matrix Cup, it's co organized by Cyber Peace, another lovely name, and the Integrity Technology group. It's a top level cyber security event with high specifications. Attracted more than 1, 000 teams from China, Vietnam and Malaysia and other countries.
[00:04:49] With the theme of intelligent defense security, digital enlightenment for the future, the main forum gathered security pioneers. Expert think tanks and industry leaders. The source for that was the Matrix Cup themselves. Okay, so make of that what you will. Another source coming from Security Week. A prize pool of two and a half million dollars is being offered at an upcoming Chinese hacking contest for exploits targeting a wide range of technology products, particularly ones made in China.
[00:05:23] So that kind of goes to show how they're thinking about this kind of thing. So a real kind of a difference between the way the East and the West are looking at the activities just of, you know, a contest, a competition.
[00:05:38] Rob Aragao: A competition. So what I'm hearing is they're recruiting. That's the recruiting platform.
[00:05:43] I love some of the words that you mentioned, right? Integrity, technology. Okay. I'm not sure there's much integrity behind definitions you just described. Um, some of the key kind of aspects of what they're trying to get around defense. Defense really sounds more like, Hey, come here and let's show it. Let's see your hacking skills.
[00:06:04] Right. And then just wide open about, Hey, we're going to target the West. I mean, could you be more open than that as to what you're trying to accomplish? So it just goes to the reality of, you know, what is happening? Um, from China is in another example, we've talked about it many times in previous episodes.
[00:06:23] But again, this is a key one and the attribution just to kind of close the loop on that one, um, you know, really ties back towards in the advisory, how they're seeing that the IP addresses have come from China, Unicom, Beijing province networks. So that's exactly how they're tied it back in and seeing where the sources are coming relative to controlling the botnet.
[00:06:46] Let's talk about kind of how all of this works, Ben. How does this, you know, really kind of come together as part of the architecture or the infrastructure that powers this botnet? And it's really broken into three kind of tiers, if you will. The first tier are those compromised IoT devices. So like I mentioned, right, there could be the routers, it could be these cameras, it could be, you know, you name it, the different type of IoT device.
[00:07:10] The second tier is actually a combination of the exploitation, the payload, and the C2 servers, or the command and control servers. And then that final tier is really the management side of it. So it's, it's what controls all of the different, um, you know, kind of, again, infrastructure behind it. It's with basically the launching pad.
[00:07:30] Um, and it was referred to as, or is being referred to as Sparrow. So when you look at this, right, the, the bots are tasked to be initiated from tier three, that Sparrow management environment I talked about. Uh, they then basically route through tier two to the C2 again, the command control servers, right?
[00:07:53] So these are the servers that basically will then subsequently go ahead and launch the bots into action. And the bots now obviously are at tier one. That's it behind everything that's going on with all these different type of IoT devices. The 260, 000 that we discussed relative to this particular type of, um, incident that occurred.
[00:08:10] So that's the model of the environment and the architecture that's out there. I like some of these words, right, Ben? So we have Sparrow, right? We've got the Raptor train. Getting very, very creative here, aren't we?
[00:08:21] Producer Ben: It's real spy stuff, isn't it? Like spy novel kind of stuff, yeah.
[00:08:25] Rob Aragao: Oh, it is. So then, who was targeted?
[00:08:29] Who's first at the top of that list, right? Who's at the top of that list as being most targeted?
[00:08:33] Producer Ben: It's got to be the United States, you know, finish first and everything.
[00:08:37] Rob Aragao: Finish first and everything. Do you want to look at it that way? I guess, I guess. You're, you're spot on, my friend. Finish first and everything.
[00:08:45] That's a good way to look at it. I'm not sure we want that one. But, but yeah, close to 50%, right? 48 percent tied back. To the US on this tech, uh, you then have, you know, other countries out there like Vietnam, which was interesting because of what you just talked about. Right? Um, Brazil, Hong Kong, Turkey. So it's, it's out there, right?
[00:09:07] But again, yeah, close to 50 percent targeting, targeting specifically the US. Um, what's, what's kind of also interesting is that, you know, there haven't been any distributed denial of service attacks that have emanated from these botnets yet. Um, they're very likely capable to be launched and weaponized at some point in time, and then target again, any of different entities that are out there within the U S and these other countries as part of it.
[00:09:34] And a lot of the conversation kind of thinking is behind it. If it's to be triggered before this actually is mitigated on these devices, it was very likely be where they've infiltrated, you know, military installations. Things within the government, potentially higher education, right, telecom, uh, defense industrial base is another one.
[00:09:56] So these are some of the kind of the thoughts. Then how do you deal with this, right? What are some of the different kind of recommendations that are out there? And the FBI did a great job of listing them. They're pretty straightforward, but ways to mitigate. Um, and so there's several, IOT devices, uh, your management console into them, your router, for example.
[00:10:16] You have. Uh, and disabling obviously unused services and ports. So good hygiene, right? Something you should be doing anyhow. Another thing you should be doing is implementing network segmentation. So breaking out these networks into segments so they are actually, uh, again, isolated from one another and serving particular purposes for different types of, you know, specific kind of functions you have in your small office or even in your home environment.
[00:10:40] Um, for example, at home, maybe, you know, my surveillance. For my alarm system and security cameras and whatnot are on one segment, one specific network. And then my, you know, kind of entertainment environment is on another, and my work environment on another, as an example. Uh, another one is obviously just monitoring these devices relative to high volumes of traffic that you're not used to seeing and then picking up and seeing again where that's coming from.
[00:11:05] You can also list IP addresses included in the advisory to block from gaining access to your environment. Of course, make your updates and patches. Always, always change the default password, of course, and apply something as a strong password. On those devices. Um, you should obviously plan to go ahead and reboot the devices.
[00:11:24] What's interesting, they called out is, um, it does, so they don't maintain persistence, but what they do is very quickly, they have such confidence in this thing, just relaunching. Right back up. So if you're going to do an update, uh, with the reboot, you know, again, as long as you're doing the right things to put these mitigating controls in place, you should be in good shape.
[00:11:43] And if you're not doing these things, and of course, just the reboot is not going to cut them off. It will disconnect them for sure, but they'll be right back into it very quickly. And the last thing is a fair bit of this environment, though, not all of it again, a fair bit, though, of these 260, 000 devices we talked about their end of life.
[00:12:01] Equipment, right? So you got to get to the point in time, obviously, where it's just time to update to some newer types of devices and replace those, of course. So that's kind of in a nutshell that I wanted to discuss Ben relative to, um, this, this new story that's out there. That's pretty again, more of kind of making it personal, right?
[00:12:18] So you understand all of us have these different devices. Within our environments. And we have to take into consideration that they are connected. And therefore, as I mentioned, they're vulnerable and some of the things you should do or could do to help mitigate this particular type of security attack that's happening out there.
[00:12:33] Producer Ben: I must admit, it does always blow my mind when, uh, you know, recommended mitigations come out and one of them is always, uh, replace default passwords with strong passwords. You know, don't give them away. Um, I dunno, what's your, uh, what are your passwords, Rob? Maybe the password for your laptop.
[00:12:52] Rob Aragao: Yeah, sure. So it's, hmm, you almost got me, Ben.
[00:12:55] Producer Ben: And that's why you work in cyber security, because you're very, very sharp to those kind of risks. See, we could have had all kinds of fun with your password. You're not fooled.
[00:13:06] Rob Aragao: You almost got me, Ben. You almost got me.
[00:13:10] Producer Ben: Rob, fantastic. Who do we have coming up on Reimagining Cyber next week?
[00:13:16] Rob Aragao: Well, we're very excited, Ben.
[00:13:17] To bring on Tiffany Snyder from NASA. And we're going to talk about cyber security in cyberspace, as well as ground control. Look at all of the different ramifications, the risk requirements that NASA has to deal with around controlling, securing overarching environments within space.
[00:13:36] Producer Ben: Wonderful. Thanks, Rob.
[00:13:37] And remember to rate and review the show and obviously. Subscribe or follow as well. So that episode will be right with you as soon as it's published. Thanks for listening and goodbye. Goodbye