Raptor Train: Chinese State-Sponsored Botnet Threat.
Raptor Train: Chinese State-Sponsored Botnet Threat
What We Know
The FBI has disrupted a massive Chinese state-sponsored botnet called "Raptor Train" (also known as Flax Typhoon), which infected over 260,000 devices globally, targeting critical infrastructure across various sectors. While the botnet’s DDOS functionality has been disrupted, the threat actors are still active. 34 device vendors were targeted and 75% of infected devices are in homes and small businesses.
Raptor Train is a large-scale botnet that primarily targets small office/home office (SOHO) and IoT devices, not client computers directly. However, it poses significant risks to networks and infrastructure.
Key capabilities of Raptor Train:
Device Compromise: The botnet has infected over 260,000 devices, including routers, IP cameras, network video recorders (NVRs), digital video recorders (DVRs), and network-attached storage (NAS) servers.
Remote Command Execution: Raptor Train can execute various commands on compromised devices remotely.
File Transfers: The botnet is capable of uploading and downloading files on infected devices.
DDoS Attacks: While no DDoS attacks have been observed, the botnet has the capability to launch such attacks.
Surveillance and Data Exfiltration: Given its targets in critical sectors, the botnet likely has capabilities for surveillance and data theft.
Vulnerability Exploitation: Raptor Train exploits both zero-day and known vulnerabilities to infect devices.
Persistence: Although individual devices only remain infected for about 17 days on average, the botnet maintains "inherent persistence" by continuously reinfecting vulnerable devices.
Scanning and Reconnaissance: The botnet has been used for scanning activities targeting military, government, and other critical sectors.
Multi-tiered Operations: Its sophisticated three-tier architecture allows for centralized control and flexible exploitation of compromised devices.
Malware Distribution: Raptor Train uses a custom Mirai variant called "Nosedive" to infect and control devices.
While Raptor Train primarily targets network devices rather than individual computers, its presence on a network could potentially be used as a stepping stone to compromise other systems or exfiltrate sensitive data from the network.
Key Details:
Origin: Operated by Integrity Technology Group, linked to the Chinese government.
Active since: May 2020 (4+ years)
Targets: U.S. military, government, IT providers, defense industrial bases, energy and critical infrastructure in Taiwan.
Infected devices: SOHO (Small Office, Home Office) routers, IP cameras, NAS (Network Attached Storage) devices, and other IoT equipment.
Capabilities: Scalable exploitation of bots, vulnerability and exploit management, remote management of C2 infrastructure, file uploads and downloads, remote command execution, enabling the device to be used for any purpose by the attacker.
Structure: Multitiered botnet with sophisticated management systems.
Recent Developments:
The FBI executed court-authorized operations to dismantle the botnet infrastructure. Their level of success has not yet been determined.
Threat actors attempted to migrate infected devices and launched a DDoS attack against the FBI.
Our Response
We want to assure you that we have been proactively defending against this threat:
No infections have been discovered within our network.
We are blocking all known malicious activities at the firewall level.
All available Indicators of Compromise (IOCs) have been loaded into our security systems.
We are blocking all known CVEs targeted by this campaign.
Our FortiGate firewalls deployed at our customers are all patched (and have been) against the vulnerability the campaigned is known to target
Current Defense Statistics:
178 Domains blocked
123 IPs blocked
Firewall Detections for 34 CVEs (vulnerabilities) known to be targeted by Raptor Train actors
Ongoing Protection
We are continuously monitoring for new information related to this threat and promptly updating our defenses. This includes:
Adding new IOCs as they become available.
Updating firewall rules and security policies.
Patching systems against newly identified vulnerabilities.
Recommendations
To ensure comprehensive protection against threats like Raptor Train:
Regularly update and patch all devices and software.
Implement strong password policies and multifactor authentication.
Segment networks to limit IoT device connectivity.
Monitor for unusual network traffic patterns.
Consider replacing outdated equipment no longer supported by vendors.
Next Steps
For a more detailed discussion on how this threat may impact your specific environment or to review your current security posture:
Contact your assigned Virtual CISO.
Book a consultation with Trusted Internet for expert guidance.
Stay vigilant, and don't hesitate to reach out with any concerns or questions regarding this or any other cybersecurity matter.
For immediate assistance, contact us at:
staysafeonline@trustedinternet.io
or call 800-853-6431.
References:
FBI press release on Raptor Train botnet disruption
Cybersecurity and Infrastructure Security Agency (CISA) advisory on Flax Typhoon
Massive China-state IoT botnet went undetected for four years—until now
https://www.ic3.gov/Media/News/2024/240918.pdf
https://github.com/blacklotuslabs/IOCs/blob/main/Raptor_Train_IOCs.txt
https://blog.lumen.com/derailingtheraptortrain/
List of vendor devices being targeted:
ServiceNow
PHP Group
Zyxel
Telesquare
Fortinet
Apache
QNAP
F5
Telstra
Tongda
Metabase
OpenRapid
Ivanti
Juniper
CloudPanel
NocoDB
Citrix
Chamilo
Gibbonedu
WordPress
MikroTik
Ubiquiti
Jorani
DrayTek
Contec
Confluence
Netgate
Atlassian
Cisco
NETGEAR
Hikvision
Buffalo
IBM
Tenda
Linear
TOTOLINK
D-Link
Four-Faith
Microsoft
Cerio
List of targeted CVE’s, Domains, and IP Address IOCs available on request