Raptor Train - IoT Botnet
October 29, 2024
Topics
- iot
- botnet
- raptor train
- flax typhoon
- threat
- hackers
October 29, 2024
Topics
Recently, it has been discovered that many homes, small offices, and IoT devices have been compromised through a very sophisticated botnet that cybersecurity researchers believed to be operated by Flax Typhoon. They refer to this specific type of botnet as Raptor Train. It can potentially be used to perform distributed denial of service attacks, shut down device security features, and steal personal information from users.
Flax Typhoon are Chinese cybersecurity threat actors with other aliases such as Ethereal Panda and RedJuliett. Flax Typhoon has a history of attacks throughout the world in areas such as North America, Africa, Taiwan, and in southeast Asia being identified through their use of tactics and language. They have been active since 2021 and mainly target government institutions, education facilities, and information and technology companies in Taiwan and U.S. according to the U.S. Department of Justice.
A botnet is a large collection of devices that connect via the Internet, such as PCs, smartphones, and the Internet of Things (IoT), that have been breached or compromised by a third party. Each of these devices is individually called a bot and is typically infected by some type of malware. The threat actor can control a device through the network.
Raptor Train is the name of the botnet used by Flax Typhoon. It contains a three-tiered architectural design. This botnet begins its operations at the third tier which is referred to as a "Sparrow" management node. These are centralized management nodes where one node or connection point controls every other node in the network system. The “Sparrow” nodes can then route to the tier 2 exploited servers and C2 Nodes. The servers then route to the tier 1 nodes. The tier 1 nodes are now the bots or compromised devices that are used in small office spaces and homes. The large combination of exploited devices, allows Raptor Train to create many bots from devices in homes and small offices. The C2 nodes in the 2nd tier of Raptor Train are what makes it so dangerous and impactful. The servers can implant an ELF (Executable and Linkable Format) binary that can execute scripts, upload and download data, and potentially perform DDoS attacks. They are believed to be rotated every 75 days and increase the number of devices that are a part of the botnet.
The botnet, Raptor Train, has been in operation for 4 years since 2020 and has been spread across 4 campaigns differentiated by the devices and root domains targeted. The Crossbill campaign was from May 2020 – April 2022, the Finch campaign was from July 2022 – June 2023, the Canary campaign was from May 2023 – August 2023, and the Oriole campaign was from June 2023 – September 2024. Despite DDoS being a common attack used by botnets, there have been no recorded cases or incidents of a DDoS attack occurring. The FBI and the Department of Justice (DOJ) dismantled Raptor Train on September 18th, 2024, and provided a list of countries that have devices compromised by Raptor Train. Some countries include but are not limited to, Canada, the United Kingdom, India, China, Australia, the United States, and Germany, with the U.S. having a little less than half of the total 260,000 devices apart of the botnet. Some common devices from the botnet were cameras, routers, DVRs as well electronics from producers like Panasonic and ASUS.
It is very easy for unprotected devices to be a part of a botnet. In order to protect your SOHO and IoT devices from being infected by the botnet, there are several key steps you can take. The first step that should be taken is to ensure that your devices are kept up-to-date with the latest software and firmware updates. It is also recommended to retire and replace devices that have become end-of-life. Enforcing strong passwords and regularly changing passwords can also be an effective step in minimizing the chance of infections. Following these simple steps can prove to be an effective measure in protecting against botnet infections.
Cybersecurity is an integral part of ensuring the safety of businesses, government entities, and for personal use. Threat actors can exploit and take advantage of insecure systems to steal information data and lash out attacks. In the case of botnets like Raptor Train, the threat of DDoS attacks on personal devices and servers can be very dangerous and lead to large parts of a network's system being compromised. It is important to be informed and have the right support and software to handle these types of attacks