Microsoft has disclosed that it is tracking a Chinese cyber threat actor named Storm-0940, which is leveraging a botnet called Quad7 to execute advanced password spray attacks. The company has labelled this botnet CovertNetwork-1658, noting that these operations are primarily designed to steal credentials from various Microsoft clients.
Storm-0940 has been active since at least 2021, employing password spray and brute-force techniques for initial access, as well as exploiting weaknesses in network edge applications and services, according to insights from Microsoft's Threat Intelligence team. The group predominantly targets organizations across North America and Europe, including think tanks, government agencies, NGOs, law firms, and defence contractors.
The Quad7 botnet, also known as 7777 or xlogin, has recently been the focus of detailed analysis by cybersecurity firms Sekoia and Team Cymru. This malware has shown a capability to compromise a range of SOHO routers and VPN devices from brands such as TP-Link, Zyxel, Asus, Axentra, D-Link, and NETGEAR. It gains access by exploiting known and unknown security flaws to achieve remote code execution. The botnet's name derives from its use of a backdoor that listens on TCP port 7777 for commands.
The botnet is primarily employed to carry out brute-force attacks against Microsoft 365 accounts. Microsoft has assessed that the botnet’s operators are likely located in China and that various local threat actors are using it to conduct password spray attacks, which serve as a precursor to broader computer network exploitation (CNE) activities. These may include lateral movement within networks, deployment of remote access trojans, and attempts to exfiltrate sensitive data.
Storm-0940 has been effective in infiltrating target organizations by using valid credentials obtained through these password spray operations, sometimes on the same day they were acquired. This quick transition suggests a strong collaboration between the botnet operators and Storm-0940.
Microsoft reports that CovertNetwork-1658 typically submits a limited number of sign-in attempts across numerous accounts within a target organization. In about 80% of cases, it makes only a single sign-in attempt per account each day.
Currently, an estimated 8,000 compromised devices are operational within the botnet, though only 20% of these are actively involved in password spraying activities. Following a public disclosure of its operations, Microsoft has noted a significant decline in the botnet's infrastructure, indicating that the threat actors may be acquiring new resources with altered signatures to evade detection.
The tech giant cautioned that any threat actor utilizing CovertNetwork-1658 could conduct large-scale password spraying campaigns, dramatically increasing the chances of successful credential theft and unauthorized access to multiple organizations quickly. The combination of this scale and the rapid turnover of compromised credentials raises the potential for account breaches across various sectors and geographical regions.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
