China-Linked JDY Botnet Expands to 1,500+ Devices for Cyber Reconnaissance
The China-linked JDY botnet has grown to 1,500+ compromised SOHO and IoT devices used for cyber reconnaissance. Here’s who’s affected and what to do.
What’s new: The JDY botnet, linked to Chinese state-sponsored actors, has expanded to over 1,500 compromised SOHO and IoT devices. This botnet is utilized for cyber reconnaissance, including scanning and fingerprinting exposed services, and has evolved from a component of the KV-botnet to an independent entity. The botnet’s growth has been significant, increasing from 650 devices in January 2024, primarily targeting infrastructure in the U.S. and Brazil.
Who’s affected
Organizations using compromised SOHO routers, firewalls, and IoT devices, particularly those from manufacturers like Cisco, Araknis, Mimosa Networks, Ubiquiti, Draytek, Hikvision, and Linksys, are at risk. The botnet’s operations are designed to evade traditional security measures, making it a concern for security teams globally.
What to do
- Monitor network traffic for unusual scanning activities and patterns indicative of reconnaissance efforts.
- Ensure that all devices, especially SOHO and IoT, are updated with the latest firmware and security patches.
- Implement network segmentation to limit the impact of potential compromises.
- Utilize threat intelligence to stay informed about emerging vulnerabilities and botnet activities.
