Google-owned Mandiant has identified several ORB networks including ORB3/SPACEHOP and ORB2/FLORAHOX, utilized by advanced threat actors with ties to China. SPACEHOP for instance has been employed by threat actors such as APT5 and APT15 for reconnaissance and vulnerability exploitation. Meanwhile, FLORAHOX operates as a hybrid network, integrating compromised devices, VPS services, and TOR routing to obfuscate malicious traffic sources. This complexity enhances the resilience and stealth of these networks making them formidable challenges for defenders.

ORB networks are characterized by essential components including Adversary Controlled Operations Servers (ACOS), relay nodes, traversal nodes, exit/staging nodes, and victim servers. These components facilitate various stages of cyber operations, from administration to launching attacks on target infrastructures. Moreover, the transient nature of ORB infrastructure, with IPv4 addresses having lifespans as short as 31 days, complicates tracking and attribution efforts further aiding adversaries in evading detection.

The utilization of ORBs represents a significant shift in cyber threat tactics, exemplified by recent attacks like the Volt Typhoon targeting US critical infrastructure. The agility and adaptability of ORB networks provide adversaries with enhanced stealth and resilience, while simultaneously posing substantial challenges for defenders. With attackers leveraging diverse resources and sophisticated tactics, enterprise defense strategies must evolve to effectively mitigate the risks posed by these dynamic cyber threats.

Impact

• Cyber Espionage
• Unauthorized Access
• Operational Disruption
• Denial of Service

Remediation

• It is recommended to upgrade from end-of-life devices to newer versions as companies cease to roll out patches and updates for them, making them highly vulnerable and risky.
• Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets
• Immediately change default passwords on IoT devices to unique ones.
• Keep devices' firmware and software up to date to ensure that known vulnerabilities are patched.
• Isolate IoT devices from critical systems by segmenting your network.
• Implement firewalls and intrusion detection systems to monitor and control traffic to and from IoT devices.
• Employ tools that can identify unusual behavior or traffic patterns that might indicate a DDoS attack or a compromised device.
• Disable any unnecessary services or features on IoT devices to reduce their attack surface.
• Follow security best practices, such as disabling remote management if not needed and enabling security features provided by the device manufacturer.
• Deploy intrusion detection and prevention systems (IDS/IPS) to monitor for anomalous or malicious network activity.
• Set up alerts for unusual traffic patterns that might indicate a DDoS attack or a compromised device.