Security researchers have identified a botnet that has infected approximately 14,000 routers and network devices daily, with a notable concentration on Asus hardware. This malware, called KadNap, exploits unpatched vulnerabilities to conscript devices into a proxy network that facilitates anonymous traffic for cybercrime activities. According to Chris Formosa, a researcher at Lumen’s Black Lotus Labs, the attackers likely rely on known exploits rather than zero-day vulnerabilities, targeting Asus models due to the availability of reliable attack methods.
The botnet’s scale has grown from around 10,000 infected devices in August of last year, when it was first discovered by Black Lotus Labs, to its current average of 14,000 per day. Geographically, compromised devices are predominantly located in the United States, with smaller clusters observed in Taiwan, Hong Kong, and Russia. This distribution highlights the widespread impact of the infection across multiple regions.
KadNap distinguishes itself through a sophisticated peer-to-peer architecture based on Kademlia, a network structure that utilizes distributed hash tables. This design obscures the IP addresses of command-and-control servers, making the botnet highly resistant to traditional detection and takedown techniques. In a statement released on Wednesday, Formosa and fellow Black Lotus researcher Steve Rudd noted that the use of a decentralized control network is a clear strategy to evade defensive measures and complicate protection efforts.
Distributed hash tables have been employed in various hardened peer-to-peer networks, such as BitTorrent and the Inter-Planetary File System. Unlike centralized systems where servers directly manage nodes and provide IP addresses, DHTs enable nodes to query each other for specific devices or servers using hashes instead of direct addresses. This decentralized approach, combined with the substitution of IP addresses with cryptographic hashes, enhances the network’s resilience against takedowns and denial-of-service attacks.
The resilience of KadNap’s design poses significant challenges for cybersecurity defenders. By leveraging a peer-to-peer framework, the botnet avoids single points of failure that are typically targeted in takedown operations. This makes it more difficult to disrupt the network’s operations or identify its controllers, as noted by the researchers.
Chris Formosa emphasized that the high prevalence of Asus routers in the botnet is likely due to botnet operators having acquired effective exploits for vulnerabilities specific to those models. He clarified that it is improbable that zero-day vulnerabilities are being used in these attacks, suggesting that many infections result from users failing to apply available patches.
The ongoing growth of the KadNap botnet, from 10,000 to 14,000 infected devices daily, underscores the persistent threat posed by unpatched network hardware. As cybercriminals continue to refine their techniques with decentralized architectures, the need for proactive security measures and timely updates becomes increasingly critical to mitigate such risks.
