back to article China's Volt Typhoon crew and its botnet surge back with a vengeance

China's Volt Typhoon crew and its botnet are back, compromising old Cisco routers once again to break into critical infrastructure networks and kick off cyberattacks, according to security researchers. The alert comes nearly ten months after the Feds claimed a victory against the Chinese government-linked miscreants, when the …

  1. Bendacious Silver badge

    "because the routers are end-of-life, the vendor no longer issues security updates"

    Router manufacturers seems to get away with only patching the equipment they make for a very short time. In my experience home routers may get one or two updates in the first 18 months and then nothing. Cisco is a bit better with company equipment but they absolutely know about vulnerabilities in older equipment and do not push updates because it would be bad for business. They have to share some blame for their equipment being used in this way. I know the equipment owners should know this.

    If I remember correctly Microsoft issued an update for Windows XP five years after it went out of support because it was a bad one being actively exploited.It would be nice to see Cisco doing the same.

    1. druck Silver badge

      Re: "because the routers are end-of-life, the vendor no longer issues security updates"

      I've got 3 ASUS routers, the oldest is 11 years old and is still getting updates to it's Merlin software. They can all run OpenWRT too.

      Incidentally I'm using the RT-AX86U as the main router, the RT-AC86U as a mesh node on another floor, and the oldest RT-AC68U as a WiFi Bridge to the Raspberry Pi in the shed at the bottom of the garden.

  2. bombastic bob Silver badge
    Linux

    unusual (secure) SMTP activity in the last month or two

    I've been seeing unusual (secure) SMTP activity from some specific IP address ranges. They connect as if to relay mail via the secure SMTP port and simply try to log in with dictionary names. For some reason fail2ban did not have a script that I could use to detect these, so I just block the IP addresses with firewall rules. One of the ISP's had several IP addresses assigned to it and is located in London [yes I did notify them]. One other is in the US but I haven't sent an e-mail about it yet. I do not know if this is anything connected with the group from China but appears to be searching for user/pass information on Linux systems since all it does is attempt to log in to relay mail. Could also just be a spammer. I was simply thinking that it is a possible side-channel attack, if successful at relaying mail, it might try ssh next.

    though in my case I use FreeBSD, they are probably looking for a Linux system, my guess, like older Cisco routers and firewalls.

    1. sitta_europea Silver badge

      Re: unusual (secure) SMTP activity in the last month or two

      "I've been seeing unusual (secure) SMTP activity from some specific IP address ranges. They connect as if to relay mail via the secure SMTP port and simply try to log in..."

      It's not exactly unusual. The current count of IPs blocked here for this reason is 5196. Happy to publish them if anyone asks.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like