KV Botnet

It has been reported that a botnet dubbed “KV Botnet”, is targeting Small Office/Home Office (SOHO) routers and VPN devices. The botnet can be utilized for various malicious activities, including data exfiltration, espionage, and network disruption.

Infection Mechanism

The KV Botnet is a hidden network that transfers data secretly. It is created by hacking small office/home office routers and firewalls from popular brands such as Fortinet, NETGEAR and Cisco etc. This botnet is operated by two separate sections: one section infects devices, and the other section transmits data. This botnet is believed to be associated with a Chinese state-sponsored hacking group known as Volt Typhoon, also referred to as Bronze Silhouette.

Fig-1: Malware installation process (Source: Lumen)

The KV botnet is designed to exploit vulnerabilities in firmware and web interfaces of small office/home office (SOHO) devices. It uses brute-force attacks to crack weak passwords for admin accounts and gain access to the devices. The botnet can also infect devices through third-party applications or malicious firmware updates.

Fig.2: Two separate groups of activity linked to KV-botnet (Source: Lumen)

Once infected, the malware creates a hidden communication channel within the device and uses it for:

• Data exfiltration: Stealing sensitive data, including user credentials, financial information, and confidential documents, from the infected network.
• Lateral movement: The malware is spreading through the network, attempting to compromise more devices.
• Command and control: Attackers can take control of systems, using them to launch DDoS attacks or deploy malware.

Indicator of Compromise:

IP:

• 207.246.100[dot]151
• 66.42.124[dot]155
• 104.156.246[dot]150

SHA256:

• c524e118b1e263fccac6e94365b3a0b148a53ea96df21c8377ccd8ec3d6a0874
• 2711f1341d2f150a0c3e2d596939805d66ba7c6403346513d1fc826324f63c87
• 5928f67db54220510f6863c0edc0343fdb68f7c7070496a3f49f99b3b545daf9

Files:

• Kv-all.sh (Cisco)- 7043ffd9ce3fe48c9fb948ae958a2e9966d29afe380d6b61d5efb826b70334f5
• Kv-arm - 690638c702170dba9e43b0096944c4e7540b827218afbfaebc902143cda4f2a7
• Kv-mipsel - 48299c2c568ce5f0d4f801b4aee0a6109b68613d2948ce4948334bbd7adc49eb

For more detailed list of IoC, kindly refer the below URL:

• https://github.com/blacklotuslabs/IOCs/blob/main/KVbotnet_IOCs.txt

Best Practices and Recommendations:

• Implement all accounts with complex password logins (e.g., service accounts, admin accounts, and domain admin accounts) to have strong, unique passwords.
• Implement multi-factor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.
• Remove unnecessary access to administrative shares.
• Network segmentation and segregation into security zones - help protect sensitive information and critical services. Separate administrative network from business processes with physical controls and Virtual Local Area Networks.
• Do not browse un-trusted websites or follow un-trusted links and exercise caution while clicking on the link provided in any unsolicited emails and SMSs.
• Monitor system/ VM resources activity for any abnormal high usage.
• Use a host-based firewall to only allow connections to administrative shares via server message block (SMB) from a limited set of administrator machines.
• Enable protected files in the Windows Operating System to prevent unauthorized changes to critical files.
• Disable remote Desktop Connections, and employ least-privileged accounts. Limit users who can log in using Remote Desktop, and set an account lockout policy. Ensure proper RDP logging and configuration.
• Keep the operating system, and third-party applications (MS Office, browsers, browser Plugins) up-to-date with the latest patches.
• Restrict access using firewalls and allow only to selected remote endpoints, VPN may also be used with a dedicated pool for RDP access.
• Additional Security measures that may be considered are::
• Use RDP Gateways for better management
• Change the listening port for the Remote Desktop
• Tunnel Remote Desktop connections through IPSec or SSH
• Two-factor authentication may also be considered for highly critical systems

References:

• https://blog.lumen.com/routers-roasting-on-an-open-firewall-the-kv-botnet-investigation/
• https://thehackernews.com/2023/12/new-kv-botnet-targeting-cisco-draytek.html
• https://www.bleepingcomputer.com/news/security/stealthy-kv-botnet-hijacks-soho-routers-and-vpn-devices/#google_vignette