CISA, in collaboration with the FBI, has issued a warning urging manufacturers of small office/home office (SOHO) routers to bolster the security of their devices against ongoing attacks orchestrated by the Chinese state-backed hacking group Volt Typhoon, also known as Bronze Silhouette. The guidance specifically calls for addressing vulnerabilities in SOHO router web management interfaces during the design and development phases. Manufacturers are urged to automate security updates through adjusted default configurations, mandate manual overrides for disabling security settings, and restrict access to router web management interfaces only to devices connected to the local area network. The advisory emphasizes the critical need to eliminate pathways for threat actors attempting to compromise SOHO routers and leverage them as launchpads for further attacks on U.S. critical infrastructure entities.
The alert highlights the prevalence of threat actors compromising SOHO routers, taking advantage of their widespread usage in American households and utilizing them as launchpads for attacks targeting critical infrastructure organizations. Volt Typhoon, the Chinese state-backed group, is specifically mentioned in connection with attacks likely involving the KV-botnet malware, which has been targeting SOHO routers since at least August 2022. The group has been known for targeting routers, firewalls, and VPN devices, employing tactics such as proxying malicious traffic to blend with legitimate traffic, making detection during attacks more challenging. The advisory also calls on manufacturers to disclose vulnerabilities through programs like Common Vulnerabilities and Exposures (CVE) and implement incentive structures prioritizing security during product design and development.
Volt Typhoon’s attacks on SOHO routers mentioned in the alert are likely linked to the KV-botnet malware discovered in December, known for targeting devices at the edge of networks. The U.S. government had previously assessed that Volt Typhoon was working on building infrastructure capable of disrupting communications infrastructure across the United States. The Chinese-backed state hackers have been reported to target and breach critical infrastructure organizations in the U.S. since at least mid-2021, with Volt Typhoon demonstrating a focus on routers, firewalls, VPN devices, and even IP cameras. The U.S. government has reportedly taken down part of Volt Typhoon’s infrastructure in recent months.
