Introduction
On May 24, 2023, Microsoft announced that they’d discovered “stealthy and targeted malicious activity” focused on communications critical infrastructure of the US and Guam. The attacks are attributed to a Chinese state-sponsored actor dubbed Volt Typhoon, who has been active since mid-2021.
One of Volt Typhoon’s primary techniques is living off the land, which involves leveraging tools and services that already exist in the compromised environment. This allows them to more effectively subvert detection and increase their dwell time in the environment.
Volt Typhoon leverages compromised small office and home office (SOHO) networking equipment, such as routers, to proxy attack traffic to their targets. Again, with a focus on avoiding detection, proxying their traffic through these residential and small office devices allows them to more easily fade into typical network activity. Notably, affected devices observed appear to have SSH or HTTP open to the internet.
Microsoft and a Joint Cybersecurity Advisory by the NSA and others have detailed SOHO devices they’ve observed involved in these attacks, including those made by Cisco, Draytek, FatPipe, Netgear Prosafe, and Zyxel. Below, we explore the internet presence of these devices that also have HTTP or SSH open to the internet.