Flax Typhoon's latest operations highlight a significant shift in how threat actors are working, moving beyond traditional IT targets and zeroing in on more vulnerable IoT devices. These devices, which often go unnoticed, are now being used as easy entry points for more sophisticated attacks. It’s a trend that’s hard to ignore — IoT device vulnerabilities have skyrocketed by 136% in just a year1, with some of the riskiest being NAS, VoIP systems, IP cameras, printers, and especially NVRs. Attackers are clearly paying attention, as IoT malware attacks have jumped 400% from 2022 to 20232.
Flax Typhoon is at the forefront of this shift. Unlike their predecessors, Volt Typhoon, who mainly targeted traditional IT infrastructure like routers, Flax Typhoon focuses on a wide array of IoT devices to power their botnet. These compromised devices are powering large-scale campaigns like "Raptor Train," which targets U.S. critical infrastructure and other international entities. What’s particularly alarming is that many of the devices they’ve compromised are still supported by their vendors, making them harder to detect and even more critical to monitor within environments assumed to be secure.
Flax Typhoon’s tactics also reveal a deep understanding of where vulnerabilities lie, particularly in lesser-known and often overlooked IoT devices. Currently, the U.S. and Mexico account for 96.2% of all IoT traffic destinations globally and 69.3% of IoT-based attacks3. The Mirai malware family, which is responsible for 66% of all IoT attack payloads4, plays a big role in the compromise of these devices. Flax Typhoon's use of the "Sparrow" application to efficiently manage their botnet and their strategic deployment of Mirai malware to take control of 260,000 devices — 126,000 of those in the U.S. — demonstrates just how knowledgeable and resourceful these evolving attack groups are becoming.
Even though a task force recently dismantled Flax Typhoon's botnet setup, FBI Director Chris Wray says, “this is just round one of a much longer fight.” Attacker’s continued focus on unknown and unmanaged IoT devices shows they know just how easy these are to compromise and the opportunity they present for new attack campaigns. This underlying narrative points out a glaring fact: legacy asset discovery tools just aren’t enough anymore. It’s clear an evolution is in order otherwise security teams are likely to be fighting a losing battle.
Legacy asset discovery tools: what they can’t see will hurt you #
Flax Typhoon’s success underscores the significant challenges legacy asset discovery tools face with the complexities of IoT devices. Their diverse nature and the fact that they operate on non-standard protocols — and are often deeply embedded within network environments — make IoT devices increasingly difficult for traditional tools to detect, categorize, and manage effectively.
Additionally, IoT devices usually have limited security resources dedicated to them, irregular communication patterns, and run on various firmware types, further complicating their discovery and allowing them to operate within the darkest corners of the network. The following is a list of challenges legacy tools face in identifying the complex nature of these devices:
Diverse and heterogeneous: IoT devices vary greatly in form, protocol, and communication methods.
Lack of standardization: IoT devices lack standard identifiers like MAC or IP addresses.
Limited network visibility: IoT devices often operate on isolated networks or use non-standard ports.
Minimal footprint and resource constraints: limited processing power and memory restrict the use of discovery agents.
Firmware variability and obsolescence: outdated or custom firmware is often unrecognized by traditional tools.
Infrequent communication: some IoT devices communicate sporadically or remain dormant for long periods.
Lack of security features: many IoT devices lack logging or reporting capabilities.
Proprietary protocols and closed ecosystems: use of proprietary communication protocols limits compatibility.
Scalability challenges: the sheer number of IoT devices in modern networks strain legacy tools.
Dynamic and mobile nature: IoT devices are often mobile or change their network location frequently.
Security and privacy concerns: aggressive scanning may disrupt IoT devices or expose sensitive data.
To evidence the nature of these challenges, a comprehensive analysis was conducted by runZero on a representative sample data set, dividing network-connected assets into a three-tier “hierarchy of visibility” based on the level of monitoring and updates they receive. The results revealed that over 60% of devices ranged from limited to no visibility despite being network-connected, creating a targeting bonanza for attackers, like Flax Typhoon.
Monitored devices—such as laptops, servers, routers, and switches—constituted 35.45% of devices in the study. These devices benefit from frequent human interaction and visibility through tools like EDR (Endpoint Detection and Response) and SNMP (Simple Network Management Protocol). With automatic updates and rapid responses to known threats, these devices are well-protected.
However, devices with limited visibility accounted for 45.46% of those analyzed by runZero. These include devices like smart TVs, projectors, wireless access points, and printers — devices that might only draw attention when they stop functioning. While these devices support updates through a network connection, they may be infrequent and could even require manual assistance. This makes these devices more vulnerable to exploitation and less likely to be noticed by legacy discovery tools.
Most concerning are the dark matter devices, representing 19.09% of the devices runZero uncovered. These include thermostats, smart plugs, physical access control systems, and even aquarium pumps — devices with almost no visibility to IT or security teams. Running outdated firmware and rarely, if ever, receiving updates, these devices are ideal targets for attackers that seek persistence under the radar.
Flax Typhoon’s focus on targeting these limited to low-visibility assets allowed them to infiltrate networks and exploit vulnerabilities for an extended period of time that traditional asset discovery tools could not detect. This growing trend demonstrates the increasing demand for a more comprehensive and dynamic approach, such as runZero, which is designed to bridge these visibility gaps and quickly expose emerging threats, enabling mitigation before exploitation.
How runZero’s unknown & IoT asset visibility tames Flax Typhoon #
runZero’s exposure management platform is designed to do more than just find traditional assets—it’s built to uncover the unconventional ones that make up OT and IoT environments, especially those hidden in the dark corners of your network. Our platform combines passive and active discovery with smart integrations to give you full visibility into every part of your environment. We don’t rely on authentication or agents, so we’re not limited to the usual suspects; instead, we can safely scan for unknown and unmanaged IoT devices without interrupting their operations.
With our powerful fingerprinting capabilities, runZero dives deep into these devices, revealing everything from protocols and ports to firmware, software, network connections, and much more. This level of insight is crucial for identifying not just the unknown devices lurking in your network, but also the breadth of exposures such as policy and compliance violations, faulty network segmentation, 0-day vulnerabilities, misconfigurations, and risky connections that attackers like Flax Typhoon are eager to exploit and quietly use to execute their campaigns.
But runZero’s capabilities don’t stop there — our platform also helps you discover network bridges to more sensitive areas, assess asset routes considering layer 3 paths, and identify multi-homed assets that might serve as jumping-off points for attackers. Plus, our outlier report is critical for IoT devices, offering a live view of unique outliers (including details like asset fields, attributes, and services). Often, IoT devices stand out in this report because of their distinctive characteristics, making them easier to spot and secure.
To get a better understanding of what the runZero Platform can do when it comes to unknown and unmanaged IoT devices, let's take a look at some examples of queries you can execute within the platform and the level of insight they can bring to your security team.
Imagine you're concerned about the risks posed by vulnerable IP-based cameras in your environment. To identify these devices, you can use the query below. You'll notice that the results include 3rd party integration findings that are merged with assets discovered exclusively by the runZero Platform. These runZero-discovered assets in the top and leftmost column highlight the additional range of unconventional and unknown devices that could be missed by more traditional approaches.
vulnerability_count:>=1 and (type:"IP Camera")
Let's take a closer look at one of the assets discovered exclusively by runZero, thanks to our advanced fingerprinting technology: STATIC-82-76-251-133.RDSNET.RO. In the image below, you’ll see a sample of the extensive information we provide, including detailed attributes, OS, status, and much more.
For the hostname STATIC-82-76-251-133.RDSNET.RO, we can identify vulnerabilities associated with this asset’s external attack surface. In our original image of all the IP camera assets, you'll notice the runZero-discovered assets and their medium risk scores, which could warrant further investigation. Upon examining the details of the associated vulnerabilities, we see that the first indicates the asset is running a remote desktop service that may be exposed to the internet (based on the use of an external IP address). The second vulnerability shows that the asset is running an SSH service that accepts password authentication and may also be exposed to the internet.
While this exposure needs to be addressed we can also make sure it is not a multi-homed device providing network bridges to more sensitive systems. To check for this we go to the network bridges report which shows us all assets that are multi-homed:
In the assets filter we simply enter the IP address and in this case it has no multi-homed network bridges, providing peace of mind to security teams that it represents lower risk than other more connected assets.
Detecting persistence in the storm #
An additional quick and easy way to use runZero to detect Flax Typhoon Windows persistence techniques is by checking RDP configurations in your environment. After compromising Windows hosts, Flax Typhoon is known to disable NLA for RDP and install an interactive back door. Use runZero RDP authentication attributes to audit your environment to check if NLA is enabled, required, or if legacy RDP is still enabled. If your organization requires NLA for RDP then this would enable detection of potential compromise as well as noncompliant hosts.
Preparing for the IoT storm #
This is just one example of how the runZero Platform can uncover IoT assets and provide security teams with the insights needed to take action against the riskiest threats. While it’s great that the FBI took down another ‘Typhoon’ like Flax Typhoon, this won’t be the last time IoT devices are used to fuel attack campaigns, given their inherent blind spots and vulnerabilities. This should serve as a wake-up call for all security teams to revisit and review their organization’s asset discovery and management capabilities. After all, knowing where all your assets are and how they’re connected to your infrastructure is the cornerstone of a strong security foundation — one that can quickly identify and address risky exposures, no matter where the assets reside.
- 1 2024 Forescout The Riskiest Connected Devices Study
- 2 2024 Forescout The Riskiest Connected Devices Study
- 3 2023 Zscaler ThreatLabz Report
- 4 2023 Zscaler ThreatLabz Report