{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/network-attached-storage-nas-devices/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["China-nexus cyber actors"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["SOHO Routers","IoT Devices","Web Cameras","Video Recorders","Firewalls","Network Attached Storage (NAS) Devices"],"_cs_severities":["high"],"_cs_tags":["covert-network","botnet","china-nexus","compromised-devices"],"_cs_type":"threat","_cs_vendors":["Cisco","Netgear"],"content_html":"\u003cp\u003eA joint advisory highlights a significant shift in tactics employed by China-nexus cyber actors. They are moving away from using individually procured infrastructure and instead leveraging large-scale, externally provisioned networks of compromised devices. These \u0026ldquo;covert networks\u0026rdquo; primarily consist of Small Office Home Office (SOHO) routers, Internet of Things (IoT) devices, and smart devices, but can include any vulnerable device that can be exploited at scale. These networks are used for various purposes, including disguising the origin of malicious activity, scanning networks, delivering malware, communicating with compromised systems, exfiltrating stolen data, and conducting general deniable internet browsing to research new TTPs and victim profiles. These networks are constantly updated and could be used by multiple actors.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Compromise: China-nexus actors exploit vulnerabilities in SOHO routers, IoT devices (web cameras, video recorders), firewalls, and NAS devices.\u003c/li\u003e\n\u003cli\u003eBotnet Establishment: Compromised devices are incorporated into a covert network (botnet), often controlled by Chinese information security companies.\u003c/li\u003e\n\u003cli\u003eReconnaissance: The actors use the botnet to scan target networks, gathering information about potential vulnerabilities and attack surfaces.\u003c/li\u003e\n\u003cli\u003eExploitation: Leveraging the compromised network to mask their origin, the actors exploit identified vulnerabilities in target systems.\u003c/li\u003e\n\u003cli\u003eMalware Delivery: The covert network is used to deliver malware payloads to compromised systems within the target network.\u003c/li\u003e\n\u003cli\u003eCommand and Control: The actors establish command and control (C2) channels through the compromised network to remotely control the malware and maintain access.\u003c/li\u003e\n\u003cli\u003eData Exfiltration: Sensitive data is exfiltrated from the compromised network through the covert network, making attribution difficult.\u003c/li\u003e\n\u003cli\u003ePersistence: The actors maintain persistence on compromised systems to ensure continued access and control.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised networks can lead to the exposure of sensitive data, disruption of critical services, and financial losses. The use of covert networks makes attribution difficult, allowing attackers to operate with impunity. The advisory notes that Volt Typhoon has used these techniques to pre-position on critical national infrastructure. The widespread nature of the networks, comprising potentially hundreds of thousands of endpoints, makes traditional network defense strategies like static IP blocklists less effective. In 2024, one such network, Raptor Train, infected over 200,000 devices worldwide.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement robust patch management practices to keep SOHO routers, IoT devices, and other network devices up-to-date with the latest security patches (reference: Overview).\u003c/li\u003e\n\u003cli\u003eStrengthen network perimeter security by implementing intrusion detection and prevention systems (IDPS) to identify and block malicious traffic originating from suspicious or known compromised IP addresses (reference: Attack Chain).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusual patterns and anomalies that may indicate the presence of a compromised device or covert network activity (reference: Attack Chain).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Outbound Connection to Known SOHO Devices\u0026rdquo; to identify potential compromised devices on your network (reference: rules).\u003c/li\u003e\n\u003cli\u003eSegment networks to limit the potential impact of a compromised device or network segment (reference: Protective Advice).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T11:22:42Z","date_published":"2026-04-23T11:22:42Z","id":"/briefs/2026-04-china-nexus-covert-networks/","summary":"China-nexus cyber actors are increasingly using large-scale networks of compromised devices, including SOHO routers and IoT devices, to obscure the origin of their attacks and conduct various malicious activities, from reconnaissance to data exfiltration.","title":"China-Nexus Cyber Actors Using Covert Networks of Compromised Devices","url":"https://feed.craftedsignal.io/briefs/2026-04-china-nexus-covert-networks/"}],"language":"en","title":"CraftedSignal Threat Feed — Network Attached Storage (NAS) Devices","version":"https://jsonfeed.org/version/1.1"}