CISA has urged manufacturers of small office/home office (SOHO) routers to ensure their devices’ security against ongoing attacks attempting to hijack them, especially those coordinated by Chinese state-backed hacking group Volt Typhoon (Bronze Silhouette).
More specifically, in new guidance created with the help of the FBI, the two agencies ask the vendors to eliminate vulnerabilities in SOHO router web management interfaces (WMIs) during the design and development phases.
They were also urged to adjust the routers’ default configuration to automate security updates, require manual overrides when disabling security settings, and only allow access to the routers’ WMI from devices connected to the local area network.
Threat actors are compromising many such devices, taking advantage of the sheer numbers of SOHO routers used by Americans and using them as launchpads in attacks targeting U.S. critical infrastructure organizations.
“CISA and FBI are urging SOHO router manufacturers to build security into the design, development, and maintenance of SOHO routers to eliminate the path these threat actors are taking to (1) compromise these devices and (2) use these devices as launching pads to further compromise U.S. critical infrastructure entities,” the cybersecurity agency said.
“CISA and FBI also urge manufacturers to protect against Volt Typhoon activity and other cyber threats by disclosing vulnerabilities via the Common Vulnerabilities and Exposures (CVE) program as well as by supplying accurate Common Weakness Enumeration (CWE) classification for these vulnerabilities.
“The Alert also urges manufacturers to implement incentive structures that prioritize security during product design and development.”
Volt Typhoon links to SOHO router botnet
The Volt Typhoon attacks targeting SOHO routers mentioned by CISA in today’s alert likely refer to the KV-botnet malware linked to the Chinese cyberspies in December that has been targeting such devices since at least August 2022.
A June 2023 U.S. government advisory assessed that the threat group was working on building infrastructure that could be used to disrupt communications infrastructure across the United States.
An earlier report from Microsoft revealed that the Chinese-backed state hackers targeted and breached U.S. critical infrastructure organizations since at least mid-2021, including Guam, which is an island hosting multiple U.S. military bases.
Volt Typhoon is known for commonly targeting routers, firewalls, and VPN devices to proxy malicious traffic, blending it with legitimate traffic to evade detection during attacks. According to the Lumen Technologies Black Lotus Labs team, the hackers target Netgear ProSAFE firewalls, Cisco RV320s, DrayTek Vigor routers, and Axis IP cameras.
“The campaign infects devices at the edge of networks, a segment that has emerged as a soft spot in the defensive array of many enterprises, compounded by the shift to remote work in recent years,” Lumen said.
The covert data transfer network built with the help of KV-botnet has been used in attacks targeting a wide range of organizations, including U.S. military entities, telecommunication and internet service providers, a U.S. territorial government entity in Guam, and a European renewable energy firm.
The U.S. government has reportedly already taken down part of Volt Typhoon’s infrastructure in recent months, according to Reuters.