Microsoft has revealed that a Chinese threat actor it tracks as Storm-0940 uses a botnet called Quad7 to orchestrate highly evasive password spraying attacks.
The tech giant named the botnet CovertNetwork-1658, saying that password spraying operations are being used to steal credentials from numerous Microsoft customers.
“Active since at least 2021, Storm-0940 gains initial access through password spraying and brute force attacks, or by exploiting or misusing network applications and services,” the Microsoft Threat Intelligence team said. said.
“Storm-0940 is known to target organizations in North America and Europe, including think tanks, government organizations, non-governmental organizations, law firms, the defense industrial base and others.”
Quad7 aka 7777 or xlogin was the item extensive analyses Sekoia and Team Cymru in recent months. The botnet malware was seen targeting several brands of SOHO routers and VPN devices, including TP-Link, Zyxel, Asus, Axentra, D-Link and NETGEAR.
These devices are recruited by exploiting known and as-yet-unknown security flaws to gain remote code execution capabilities. The name of the botnet is a reference to routers being infected with a backdoor that listens on TCP port 7777 to facilitate remote access.
Sekoia told The Hacker News in September 2024 that the botnet is primarily used to carry out brute force attempts against Microsoft 365 accounts, adding that the operators are likely Chinese state-sponsored entities.
Microsoft also assessed that botnet operatives are located in China and that several threat actors from that country are using the botnet to conduct password spraying attacks for subsequent computer network exploitation (CNE) activities such as lateral movement, deployment remote Trojan access and data theft attempts.
That includes Storm-0940, which he says infiltrated targeted organizations using valid credentials obtained from password spraying attacks, in some cases on the same day the credentials were extracted. “Rapid operational transfer” involves close cooperation between botnet operators and Storm-0940, the company said.
“CovertNetwork-1658 sends a very small number of logon attempts to many accounts in the targeted organization,” Microsoft said. “Approximately 80 percent of the time, CovertNetwork-1658 makes only one login attempt per day.”
It is estimated that there are approximately 8,000 compromised devices active on the network at any given time, although only 20 percent of these devices are involved in password spraying.
The Windows maker also warned that the botnet’s infrastructure has seen “unsustainable and dramatic decline” since the public disclosure, raising the possibility that threat actors are “likely acquiring new infrastructure with altered fingerprints” to avoid detection.
“Any threat actor using the CovertNetwork-1658 infrastructure can conduct larger-scale password spraying campaigns and significantly increase the likelihood of successfully compromising credentials and gaining initial access to multiple organizations in a short period of time,” Microsoft said.
“This scale, combined with the rapid operational turnover of compromised credentials between CovertNetwork-1658 and Chinese threat actors, allows for the potential compromise of accounts across sectors and geographies.”
