Skip to content
Join Censys for a Threat Hunting Workshop & Happy Hour! | April 17 at City Winery in Philadelphia | Register Now
Blogs

Internet Footprint of SOHO Devices Exploited by Volt Typhoon

Introduction

On May 24, 2023, Microsoft announced that they’d discovered “stealthy and targeted malicious activity” focused on communications critical infrastructure of the US and Guam. The attacks are attributed to a Chinese state-sponsored actor dubbed Volt Typhoon, who has been active since mid-2021.

One of Volt Typhoon’s primary techniques is living off the land, which involves leveraging tools and services that already exist in the compromised environment. This allows them to more effectively subvert detection and increase their dwell time in the environment.

Volt Typhoon leverages compromised small office and home office (SOHO) networking equipment, such as routers, to proxy attack traffic to their targets. Again, with a focus on avoiding detection, proxying their traffic through these residential and small office devices allows them to more easily fade into typical network activity. Notably, affected devices observed appear to have SSH or HTTP open to the internet.

Microsoft and a Joint Cybersecurity Advisory by the NSA and others have detailed SOHO devices they’ve observed involved in these attacks, including those made by Cisco, Draytek, FatPipe, Netgear Prosafe, and Zyxel. Below, we explore the internet presence of these devices that also have HTTP or SSH open to the internet.

SOHO Device Exposure

In total, we observed 510,384 total hosts (1,113,901 services) running one of these SOHO routers with either the HTTP management port or SSH service running.

Draytek Hosts
United Kingdom 190,369
Vietnam 65,616
Netherlands 47,666
Australia 21,172
Italy 16,521
Taiwan 15,292
France 12,575
Poland 10,459
Germany 8,917
Portugal 7,792
Zyxel Hosts
Italy 6,656
France 4,323
Switzerland 2,477
United States 2,108
Germany 1,049
Spain 919
Taiwan 674
South Korea 649
Netherlands 504
Austria 478
Cisco RV
United States 3,305
Canada 1,264
Brazil 987
India 976
Poland 969
Argentina 888
Thailand 624
Mexico 394
China 384
Colombia 294
Netgear Prosafe
United States 2,072
Japan 960
South Korea 147
Sweden 80
Germany 20
Canada 16
Hong Kong 12
United Kingdom 7
Finland 7
Italy 7
FatPipe
United States 839
India 122
Mexico 18
China 16
Philippines 13
Nigeria 9
United Kingdom 5
Hong Kong 4
Jamaica 2
Germany 1

 

Conclusion

With over half a million small office or home office networking devices exposing HTTP or SSH to the internet, threat actors like Volt Typhoon have ample opportunities for potential exploitation of these devices for nefarious purposes.

If you’re running a SOHO device, ensure that the administrative login and controls aren’t accessible from the public internet. Check out me.censys.io to see if your router is exposing any unexpected services to the public internet.

Attack Surface Management Solutions
Learn more