IoT devices in a password spraying botnet
Microsoft is a warning Users of the Azure cloud believe that a Chinese-controlled botnet is “very sneaky” about spraying passwords. Not sure about the “very elusive” part; methods seem to be basically what you get in a distributed password-picking attack:
“Any threat actor using the CovertNetwork-1658 infrastructure can conduct password spraying campaigns on a larger scale and significantly increase the likelihood of successfully compromising credentials and gaining initial access to multiple organizations in a short period of time,” Microsoft officials wrote. “This scale, combined with the rapid operational turnover of compromised credentials between CovertNetwork-1658 and Chinese threat actors, allows for the potential to compromise accounts across sectors and geographies.”
Some characteristics that make detection difficult are:
- Using compromised SOHO IP addresses
- Using a changing set of IP addresses at any given time. Threat actors had thousands of available IP addresses at their disposal. The average uptime for a CovertNetwork-1658 node is approximately 90 days.
- The process of spraying a password in a small volume; for example, observing multiple failed login attempts from the same IP address or from the same account will not detect this activity.
Bruce Schneier sidebar photo by Joe McInnis.
