web analytics

Raptor Train Botnet Infects 260,000 Devices Globally – Source: www.databreachtoday.com

raptor-train-botnet-infects-260,000-devices-globally-–-source:-wwwdatabreachtoday.com
Rate this post

Source: www.databreachtoday.com – Author: 1

Critical Infrastructure Security
,
Cyberwarfare / Nation-State Attacks
,
Endpoint Security

Chinese Botnet Targets US Critical Infrastructure and Taiwan

Prajeet Nair (@prajeetspeaks) •
September 19, 2024    

Raptor Train Botnet Infects 260,000 Devices Globally

A Chinese state-sponsored botnet called Raptor Train has infected more than 260,000 IoT and office network devices to target critical infrastructure globally. The hackers used zero-days and known vulnerabilities to compromise more than 20 different types of devices to expand their botnet.

See Also: Safeguard and Enhance the Value of Your Cloud Investment

Raptor Train, a botnet linked to the Chinese threat actor Flax Typhoon, remained hidden for years, said Louisiana-based Lumen Technologies’ threat intelligence group, Black Lotus Labs, in a report.

Raptor Train began operations in May 2020, comprising routers, modems, IP cameras, NAS servers and NVR/DVR devices. It has now evolved into one of the largest-known Chinese state-sponsored IoT botnets, affecting military, government, telecommunications, defense industrial base and higher education entities in the U.S. and Taiwan.

At its peak in June 2023, Raptor Train actively compromised over 60,000 devices. By mid-2023, the botnet had ballooned to over 200,000 infected networking devices, and the latest estimates suggest it now controls over 260,000 devices.

Black Lotus Labs’ report said the botnet has a sophisticated command-and-control infrastructure, managed through an enterprise-grade control system known as Sparrow, which is capable of overseeing a large volume of compromised nodes while automating tasks such as vulnerability exploitation, remote command execution and data collection.

The botnet’s primary implant, named Nosedive, is a custom variant of the Mirai malware, designed to target devices with known vulnerabilities. These infections remain memory-resident, making them difficult to detect and more resilient to traditional defenses.

Operators of Raptor Train manage their network using a multitiered approach: Tier 1 devices are consumer-grade hardware, while Tier 2 and Tier 3 nodes consist of dedicated servers that oversee payload distribution, exploit management and botnet command execution.

The operators use more than 20 different device types to expand their botnet, leveraging zero-days and known vulnerabilities. Affected devices are products of well-known manufacturers such as TP-Link, ASUS, DrayTek, Zyxel, Hikvision and Synology.

The large, ever-changing pool of devices ensures that the botnet remains robust even without a persistence mechanism, as compromised devices typically stay active for an average of 17 days before being replaced by new ones.

Raptor Train’s operators, most likely based in China, have been observed managing Tier 2 nodes via Secure Shell connections during Chinese working hours. These connections, facilitated by Sparrow management nodes, enable threat actors to collect bot data, issue commands and exploit vulnerabilities.

Tier 3 nodes, based in Hong Kong and mainland China, provide a consistent command structure, and operators interact with their network around the clock using an advanced control interface named Node Comprehensive Control Tool v1.0.7.

Although there has been no confirmed distributed denial-of-service attack from Raptor Train, Black Lotus Labs warns that this capability likely remains available to the botnet operators.

With its ability to scale DDoS attacks and exploit vulnerabilities across vast numbers of devices, Raptor Train could be a formidable tool for disruptive operations in the future, Black Lotus Labs said.

Researchers found Raptor Train through its monitoring of malicious activity in mid-2023, leading to a more in-depth investigation into the botnet’s infrastructure. The company has since taken steps to neutralize portions of the botnet, including null-routing traffic associated with known C2 servers and payload distribution points.

Lumen Technologies also shared intelligence with U.S. government agencies to bolster defenses against this botnet.

Original Post url: https://www.databreachtoday.com/raptor-train-botnet-infects-260000-devices-globally-a-26327

Category & Tags: –

Views: 0

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post

Codrut Andrei
Cybersecurity Talent Crisis Today and Tomorrow by Codrut Andrei
Cybersecurity Talent Crisis Today and...
SCYTHE
Better Cybersecurity Metrics – SOC Metrics – Threat Hunting Metrics – Cyber Threat Intelligence (CTI) Metrics – Incident Response (IR) Metrics for CISOs by SCYTHE
Better Cybersecurity Metrics – SOC...
ACSC Australia
Personal Cyber Security First Steps by Australian Government – ACSC
Personal Cyber Security First Steps...
Joas Antonio
100 Security Operation Tools for SOCs by Joas Antonio
100 Security Operation Tools for...
Joas Antonio
Guide for Multi-Cloud Read Team AWS – GCP – AZURE by Joas Antonio
Guide for Multi-Cloud Read Team...
SANS
SANS Faculty Cybersecurity Free Tools – SANS Instructors have built more than 150 open source tools that support your work and help you implement better security.
SANS Faculty Cybersecurity Free Tools...
Marcos Jaimovich
The Silent Spectre Haunting Your Network: QPhishing, the CISO’s Unspoken Nightmare.
The Silent Spectre Haunting Your...
Marcos Jaimovich
Goodbye to Traditional: Why Conventional Cybersecurity Tools are No Longer Sufficient for the Future of Digital Threats ?
Goodbye to Traditional: Why Conventional...
Marcos Jaimovich
Why do we compare a SOC (Security Operations Center) with the cockpit of a commercial airplane? by Marcos Jaimovich
Why do we compare a...
Joas Antonio
Security Operations Center (SOC) – Tools for Operations Development by Joas Antonio
Security Operations Center (SOC) –...
IZZMIER
Incident Response Playbooks & Workflows Ready for use in your SOC & Redteams
Incident Response Playbooks & Workflows...
LOGPOINT
396 Use Cases & Siem Rules Code ready for use for Mitre Attacks Events Detection in Your SOC by Logpoint
396 Use Cases & Siem...

LASTEST PUBLISHED POSTS

ACN
Guidelines for secure AI system development
Guidelines for secure AI system...
Incibe
Ciberseguridad en Smart Toys
Ciberseguridad en Smart Toys
Flashpoint
Global Threat Intelligence Report
Global Threat Intelligence Report
HSBC
A new payments paradigm
A new payments paradigm
WORLD BANK GROUP
Global Cybersecurity Capacity Program
Global Cybersecurity Capacity Program
Gary Hinson
Getting started withsecurity metrics
Getting started withsecurity metrics
EDPS
Generative AI and the EUDPR.
Generative AI and the EUDPR.
Bright
2024 Guide to Application Security Testing Tools
2024 Guide to Application Security...
HADESS
Hacker Culture
Hacker Culture
Quuensland Govermment
RISK ASSESSMENT PROCESS HANDBOOK
RISK ASSESSMENT PROCESS HANDBOOK
Ministry of MOS Security
HIPAA SIMPLIFIED
HIPAA SIMPLIFIED
Hacker Combat
How Are Passwords Cracked?
How Are Passwords Cracked?

More Latest Published Posts

IGNITE Technologies
A Detailed Guide on Covenant
A Detailed Guide on Covenant
NIST
Computer Security Incident Handling Guide
Computer Security Incident Handling Guide
IGNITE Technologies
DIGITAL FORENSIC FTK IMAGER
DIGITAL FORENSIC FTK IMAGER
Accedere
Cloud Security Assessment
Cloud Security Assessment
YL VENTURES
CISO Reporting Landscape 2024
CISO Reporting Landscape 2024
CISO Edition
Reporting Cyber Risk to Boards
Reporting Cyber Risk to Boards
CIOB
CIOB Artificial Intelligence (AI) Playbook 2024
CIOB Artificial Intelligence (AI) Playbook 2024
INCIBE & SPAIN GOVERNMENT
Nuevas normativas de 2024 de ciberseguridad para vehículos
Nuevas normativas de 2024 de ciberseguridad para vehículos
INNOVERY
RESILIENCIA
RESILIENCIA
CEH
Certifications Preparation Guide
Certifications Preparation Guide
Sandhya Kaushik
Checklist for Securing Your Android Apps
Checklist for Securing Your Android Apps
aDvens
May Cyber Threat Intelligence monthly report
May Cyber Threat Intelligence monthly report
Insikt Group
Caught in the Net
Caught in the Net
IGNITE Technologies
BURP SUITE FOR PENTESTER TURBO INTRUDER
BURP SUITE FOR PENTESTER TURBO INTRUDER
SYED ABUTHAHIR
BUG BOUNTY AUTOMATION WITH PYTHON
BUG BOUNTY AUTOMATION WITH PYTHON
Foresiet
Brand Impersonation Attacks
Brand Impersonation Attacks
Google Cloud
Board of Directors Handbook for Cloud Risk Governance
Board of Directors Handbook for Cloud Risk Governance
ISACA
Blueprint for Ransomware Defense
Blueprint for Ransomware Defense
Shaurya Rawal
Blockchain Security
Blockchain Security
RISK academy
BEST RISK MANAGEMENT PROMPTS FOR CHATGPT
BEST RISK MANAGEMENT PROMPTS FOR CHATGPT
IGNITE Technologies
Best Alternative of Netcat
Best Alternative of Netcat
aws
AWS Security Incident Response Guide
AWS Security Incident Response Guide
DevSecOps Guide
Attacking Rust
Attacking Rust
DevSecOps Guide
Attacking Pipeline
Attacking Pipeline
DevSecOps Guide
Attacking Golang
Attacking Golang
HADESS
Assembly for Hackers
Assembly for Hackers
BIONIC
Application Security Posture Management
Application Security Posture Management
Wallarm
API ThreatStatsTM Report
API ThreatStatsTM Report