ASD Publishes Joint Advisory on China Linked Botnet Operations - 20240919001

Overview

The Australian Signals Directorate (ASD) have published a joint advisory reporting People's Republic of China (PRC)-linked cyber actors have compromised thousands of Internet-connected devices, including small office/home office (SOHO) routers, firewalls, network-attached storage (NAS) and Internet of Things (IoT) devices with the goal of creating a network of compromised nodes (a "botnet") positioned for malicious activity.

What has been observed?

Integrity Technology Group, a PRC-based company, has controlled and managed a botnet active since mid-2021. The botnet has regularly maintained between tens to hundreds of thousands of compromised devices. As of June 2024, the botnet consisted of over 260,000 devices, of which there is an estimated 2,400 nodes discovered within Australia.

While devices aged beyond their end-of-life dates are known to be more vulnerable to intrusion, many of the compromised devices in the Integrity Tech controlled botnet are likely still supported by their respective vendors.

Recommendation

The WA SOC recommends administrators perform the following:

• ASD Advisory: https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/peoples-republic-china-linked-actors-compromise-routers-and-iot-devices-botnet-operations
• Review 'Appendix A: Indicators of Compromise' section to perform scoping of any potentially related activity,
• Review 'Appendix B: Observed CVEs' section to perform discovery of potentially vulnerable devices,
• Review the 'Recommended Mitigations' section for relevant information.