Flax Typhoon Botnet Exposes Alarming IoT Vulnerabilities…again.
A newly published joint cybersecurity report from the FBI, CNMF, NSA, and allied agencies has revealed a large-scale IoT botnet campaign linked to the People’s Republic of China (PRC). This botnet, active since mid-2021, has compromised over 1.2 million devices, including routers, network-attached storage (NAS), and other Internet-connected systems. As of June 2024, 260,000 devices were still actively exploited. The ongoing scale and persistence of these botnet attacks continue to signal the need for manufacturers to rethink their approach to IoT security, focusing on embedding protection directly at the firmware level.
The Scale of the Threat: 1.2 Million Devices and Counting
This botnet, controlled by PRC-linked cyber actors such as Flax Typhoon, RedJuliett, and Ethereal Panda, primarily targets IoT devices and web-facing applications using Mirai-based malware. Mirai, originally developed to hijack IoT devices for Distributed Denial of Service (DDoS) attacks, has evolved into a more sophisticated tool for creating large botnets. The botnet identified in this report affects more than 47.9% of its devices in the United States, but the reach and impact of these cyber operations are global.
The scale of the campaign is particularly alarming for manufacturers, given that IoT devices are often deployed in sensitive infrastructure, industrial systems, and critical networks. Once compromised, these devices are used to mask the identity of attackers, facilitate DDoS attacks, and compromise additional networks, including those in industrial and enterprise settings. IoT device makers, including those in industries such as smart meters, drones, and GPS, need to take urgent action to protect their systems from becoming the next targets.
Outdated Firmware: The Achilles Heel of IoT Devices
One of the key issues identified in the report is the reliance on outdated firmware in many of the compromised devices. A large number of devices in the botnet were running firmware versions that had not been supported by vendors since as early as 2016. This leaves them vulnerable to known exploits and easily incorporated into botnet operations.
Source: VulnCheck (https://vulncheck.com/blog/flax-typhoon-botnet)
While regular patching and updates can mitigate some risks, the reality is that many IoT devices are left unpatched due to their placement in remote or unmanaged environments. This is why embedding intrusion detection systems (IDS) at the firmware level is critical. These systems can monitor for unusual behaviour, identify suspicious traffic, and halt malicious activity before it escalates, even when devices cannot be easily updated.
Mirai Malware and Its Evolution
The botnet detailed in the report relies heavily on Mirai-based malware, which has become synonymous with IoT botnet attacks since its source code was leaked in 2016. Initially, Mirai targeted insecure IoT devices such as webcams, routers, and IP cameras to conduct DDoS attacks. The PRC-linked botnet, however, has customised Mirai to automate the compromise of various IoT devices, taking advantage of vulnerabilities that allow attackers to gain remote access.
One of the most concerning elements is the botnet’s command-and-control (C2) infrastructure, which relies on Transport Layer Security (TLS) to encrypt communications between infected devices and the attackers. This sophisticated approach makes it harder for network defenders to detect malicious traffic, but in many cases around IoT security, network monitoring is the key detection control.
Segmentation and Least Privilege: Preventing Spread
Another key lesson from the report is the importance of network segmentation and least privilege access. The botnet thrived on poorly segmented networks, allowing compromised devices to communicate freely with each other. Once inside, these devices acted as a gateway to compromise further systems, amplifying the scale of the attack.
Manufacturers can limit the spread of any potential compromise by ensuring that IoT devices are segmented from other parts of the network and that each device operates under the principle of least privilege. This means restricting devices’ ability to communicate beyond their necessary functions, reducing the attack surface, and preventing lateral movement within the network. Monitoring high-traffic volumes is essential for detecting early signs of a DDoS attack originating from compromised IoT devices.
The Path Forward: Embedded Security in IoT Devices
The report is a reminder that securing IoT devices cannot just be about ‘applying patches’. Proactive measures, including disabling unused services, and replacing end-of-life equipment, are critical to limiting botnet recruitment's impact. However, the most effective strategy is embedding security directly into the firmware of IoT devices, providing a built-in defence against future attacks.
At qomodo, we believe that the future of IoT security lies in embedded protection—the ability to detect and respond to threats in real-time, even in devices that are difficult to manage or update. As we move toward a more connected world, this level of security will be essential for protecting critical infrastructure and ensuring the integrity of IoT ecosystems.
