Experts in cybersecurity have raised alarms over the significant growth and resurgence of the JDY botnet, a network linked to Chinese state-sponsored cyber groups. The botnet, which now includes over 1,500 compromised devices, is used for extensive scanning and reconnaissance operations.
Expansion of JDY Botnet
According to Black Lotus Labs of Lumen Technologies, the JDY network predominantly comprises compromised small office/home office (SOHO) and Internet of Things (IoT) devices. This botnet is employed to identify and map out vulnerable internet services on a large scale. Initially detected as part of another botnet known as KV-botnet in December 2023, JDY has since evolved into a formidable threat utilized by Chinese hacking entities like Volt Typhoon.
Following the U.S. government’s dismantling of the KV-botnet in early 2024, operators of the JDY botnet adjusted their tactics, leading to the shutdown of a significant portion of the KV-botnet. The JDY network has not only expanded its scope but also diversified the types of devices it infects, integrating into a broader cyber reconnaissance ecosystem.
Targeted Scanning and Reconnaissance
The JDY botnet is strategically used for targeted scanning and service identification, aiming to exploit vulnerabilities in infrastructure following public vulnerability disclosures. This points to a sophisticated and industrial-level reconnaissance effort by Chinese nation-state actors. Black Lotus Labs reports that the size of the JDY botnet has more than doubled from 650 bots in January 2024 to over 1,500 today, with the majority of compromised devices located in the United States and Brazil, followed by regions in Europe and Asia.
Devices previously dominated by Cisco routers have now diversified to include technology from Araknis, Mimosa Networks, Ubiquiti, Draytek, Hikvision, and Linksys. Many of these devices are outdated with known vulnerabilities, making them prime targets for exploitation.
Technical Insights and Future Implications
The architecture of the JDY botnet is complex, utilizing Tor nodes for controlling compromised infrastructures, including command-and-control (C2) and payload servers. This setup allows for precise reconnaissance and system profiling, rather than indiscriminate scanning, with data sent to central servers for intelligence gathering.
The malware used in the JDY botnet is designed to adapt its scanning techniques based on local system privileges, optimizing its efficacy in discovering vulnerabilities. This capability indicates a sophisticated approach to asset discovery and vulnerability targeting, vital for subsequent exploitation and attack orchestration.
Black Lotus Labs highlights that the JDY botnet exemplifies how IoT and SOHO botnets are employed for rapid exploitation of vulnerabilities. Despite efforts to dismantle such networks, their resilience and adaptability allow them to persist and provide adversaries with up-to-date targeting data shortly after vulnerabilities are disclosed.
The ongoing evolution of the JDY botnet demonstrates that while individual nodes may be disrupted, the overarching capability remains intact, continuing to serve adversarial objectives efficiently and effectively.
