A joint cybersecurity advisory from the Federal Bureau of Investigation, Cyber National Mission Force, and National Security Agency exposes new activity from the Flax Typhoon threat actor. The group has compromised more than 260,000 Small Office/Home Office routers, firewalls, Network-attached Storage, and Internet of Things devices to create a botnet capable of launching Distributed Denial of Service attacks or targeted attacks aimed at U.S. networks.
Flax Typhoon, also known as RedJuliett and Ethereal Panda, is a China-based threat actor active since at least mid-2021. The group has targeted Taiwan-based organizations as well as other victims in Southeast Asia, North America, and Africa for cyberespionage purposes. According to the FBI’s joint advisory, the group stands behind a China-based company called Integrity Tech, which has ties to the Chinese government.
The botnet, known as Raptor Train, has been tracked by Black Lotus Labs, the threat intelligence team from cybersecurity company Lumen, for four years. Affected devices have been compromised by a variant of the infamous Mirai malware family. The malware automates the compromise of various devices by exploiting known vulnerabilities. Once compromised, the device sends system and network information to an attacker-controlled C2 server.
The FBI recommends the following actions be taken promptly:
The federal agency also suggested that businesses plan for device reboots and replace end-of-life equipment with supported ones.