Flax Typhoon is a cyber threat actor observed using legitimate software to gain unauthorized access to organizations in Taiwan.
This group employs sophisticated techniques, including those previously associated with another actor known as “Storm-0558,” to infiltrate systems and extract sensitive information.
Cybersecurity researchers at VulnCheck recently discovered that Flax Typhoon’s botnet has been actively exploiting 66 vulnerabilities in various devices.
Flax Typhoon’s Botnet Exploiting 66 Vulnerabilities
Five Eyes intelligence agencies (FBI, US Cyber Command, NSA, and counterparts from Australia, New Zealand, Canada, and UK) issued a Joint Cybersecurity Advisory about a Chinese-linked botnet called Flax Typhoon.
Meet the CISOs, Join the Virtual Panel to Learn compliance – Join Free
This botnet exploits 66 specific vulnerabilities (CVEs) in routers, IoT devices, and web-facing applications.
Here below, we have mentioned all the technologies targeted by the Flax Typhoon botnet along with the vulnerabilities count:-
- Apache (10 CVEs)
- Cisco (5 CVEs)
- Zyxel (3 CVEs)
- QNAP (3 CVEs)
- Fortinet (3 CVEs)
- Draytek (3 CVEs)
- WordPress (2 CVEs)
- Telesquare (2 CVEs)
- Ivanti (2 CVEs)
- IBM (2 CVEs)
- F5 (2 CVEs)
- Contec (2 CVEs)
- Chamilo (2 CVEs)
The United States is the primary target, hosting “47.9%” of compromised devices, followed by Vietnam (8%) and Germany (7.2%).
The botnet’s reach extends across North America, Europe, and Asia. Among the 66 vulnerabilities, the VulnCheck KEV database initially included ’41,’ while CISA’s KEV catalog listed ’27.’
However, the VulnCheck has since been updated to include all the 66 CVEs.
Prior to the advisory, “71.2%” of these vulnerabilities were known to be exploited or weaponized, “16.7%” had proof-of-concept exploit code available, and “12.1%” lacked public exploit evidence.
This botnet operation potentially threatens critical infrastructure, particularly in the “US,” given the high attention paid to affected devices.
Besides this, the advisory provides crucial indicators of compromise and geographical data on impacted devices, which aims to raise awareness and improve cybersecurity defenses against this threat.
Mitigations
Here below, we have mentioned all the mitigations:-
- Disable unused services and ports
- Implement network segmentation
- Monitor for high network traffic volume
- Apply patches and updates
- Replace default passwords with strong passwords
- Replace end-of-life equipment.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14-day free trial