The UK's National Cyber Security Centre (NCSC), along with its Five Eyes allies, are warning organizations to protect themselves from a massive China-backed botnet.
A company with links to the Chinese government has, it said, been running a global botnet consisting of over 260,000 compromised devices in North America, Europe, Africa, and Southeast Asia.
The devices, according to the US National Security Agency (NSA), include small office/home office routers, firewalls, network-attached storage (NAS), and IoT devices including webcams and CCTV cameras, along with routers running UNIX-based operating systems.
These, the agencies said, are being used for a variety of malicious purposes, such as anonymous malware delivery and distributed denial of service (DDoS) attacks.
"Botnet operations represent a significant threat to the UK by exploiting vulnerabilities in everyday internet-connected devices with the potential to carry out large-scale cyber attacks," said Paul Chichester, NCSC director of operations.
"Whilst the majority of botnets are used to conduct coordinated DDoS attacks, we know that some also have the ability to steal sensitive information."
A company called Integrity Technology Group is believed to be responsible for controlling and managing the botnet, which has been active since mid-2021 and has been used by the hacking group known as Flax Typhoon.
The agencies are urging organizations and individuals to take action to protect themselves.
"The NCSC, along with our partners in Five Eyes countries, is strongly encouraging organizations and individuals to act on the guidance set out in this advisory – which includes applying updates to internet-connected devices – to help prevent their devices from joining a botnet," said Chichester.
They're encouraging individuals and organizations to keep on top of applying patches and updates and to disable unused services and ports, such as automatic configuration, remote access, or file-sharing protocols – all of which can be abused to gain initial access or to spread malware to other networked devices.
They should also replace default passwords with stronger ones, implement network segmentation with the principle of least privilege, and monitor for high network traffic volumes to detect any DDoS incidents. Devices should be rebooted to remove non-persistent malware, and end-of-life equipment should be replaced with supported devices.
"The recent advisory from the NCSC highlights a clear supply chain risk – specifically how compromised hardware, often sourced from particular countries of origin, can be leveraged for nation-state cyber-espionage activities," commented Eric Knapp, CTO of OT at cyber security firm OPSWAT.
"This is an example of how vulnerabilities in the supply chain can lead to widespread malicious activity such as DDoS attacks and anonymous malware delivery."
Along with the network segmentation recommended in the advisory, he said technologies such as unidirectional gateways or data diodes should also be used to enforce secure, one-way data flow.
And, he said, "With the increasing prevalence of nation-state cyber-attacks, conducting thorough asset inventories and monitoring the origins of both hardware and software are critical steps."
