Home routers, webcams, NAS devices: Huge IoT botnet shut down by the FBI

Around 1.2 million IoT devices worldwide were part of a botnet, a tenth of them in Germany. The FBI has now shut it down.

Save to Pocket listen Print view
IP cameras, NAS systems and routers are infected by malware directed from China

(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)

4 min. read
By
  • Uli Ries
Contents

According to the US Department of Justice, US prosecutors have shut down the Raptor Train IoT botnet on the basis of a court order. Michael Horka, Senior Lead Information Security Engineer at Black Lotus Labs, told heise security that all IP traffic to the command and control (C2) servers, payload servers and the rest of the botnet infrastructure was routed to nowhere via null routing. According to the FBI, it took over parts of the infrastructure and instructed the bots to shut down.

Black Lotus Labs is part of IT security provider Lumen Technologies and first brought Raptor Train to the attention of law enforcement in mid-2023. Lumen Technologies has described the structure of the botnet in detail in a document.

According to the FBI, the botnet was operated by a Chinese company called Integrity Technology Group (Integrity Tech), which the authorities allege has links to the Chinese government. Companies such as Microsoft and Crowdstrike refer to the state hacker group as Flax Typhoon.

According to the FBI, Integrity Tech had a good 260,000 routers, web cams and NAS devices under control around the world in June, including almost 19,000 in Germany. The affected manufacturers include Asus, DrayTek, Hikvison, Microtik, Mobotix, Qnap, Synology, TP-Link, Ruckus Wireless and Zyxel. According to Michael Horka, who presented the details of Raptor Train at the Labscon 2024 security conference, it is unlikely that zero-day exploits were used to infect the devices. However, the infrastructure used to manage the botnet was designed for this. The law enforcement agencies list all of the vulnerabilities exploited by Raptor Train in a document. Many of the affected devices are still being supplied with security updates by the manufacturers.

The botnet had three tiers: Tier 1 is how the researchers refer to the infected devices. Tier 2 were the C2 servers. Tier 3 was used to manage the infected devices. With regard to Tier 1, Mike Horka said: "The malware used by Raptor Train exists exclusively in the memory of the devices. It therefore does not survive reboots, which explains the constantly fluctuating number of bots." Infected devices were part of the botnet for an average of 17 days. According to the FBI, a good 1.2 million devices have been infected over the four-year lifetime of the botnet.

The malware, dubbed Nosedive by Black Lotus Labs, is based on the code of the well-known IoT malware Mirai and runs on various hardware platforms such as ARM, MIPS, PowerPC or x86. The malware is downloaded by a 15-line bash script that recognizes the hardware platform in question and then downloads the actual implant via wget. "On the infected device, the malware hid by assigning itself a common process name chosen at random from a list of eleven entries," said Mike Horka.

According to Black Lotus Labs, the bots were used to attack US and Taiwanese organizations in the military, government, education, defense, telecommunications and IT sectors. As the IT security researchers did not have access to the C2 layer, it is difficult to trace the exact activities of the botnet, according to Mike Horka. For example, no DDoS attacks were observed, although numerous functions for this were found in the Tier3 software.

The list of exploits controlled by Raptor Train includes several for professional hardware and software such as Cisco ASA and Firepower, F5 BIG-IP, IBM Tivoli and WebSphere or Ivanti appliances. This suggests that the botnet operators misused the infected IoT devices to attack these hardware and software components, hiding behind the victims' IP addresses.

(dahe)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.