Microsoft Warns of Chinese Botnet Exploiting Router Flaws for Credential Theft

Microsoft has disclosed that a Chinese threat actor known as Storm-0940 is utilizing a botnet named Quad7, or CovertNetwork-1658, to conduct sophisticated and evasive password spray attacks aimed at harvesting credentials from various Microsoft customers. This threat actor has been active since at least 2021 and typically gains initial access through password spray and brute-force attacks, as well as by exploiting vulnerabilities in network edge applications and services.

The primary targets of Storm-0940 include organizations across North America and Europe, such as think tanks, governmental and non-governmental organizations, law firms, and entities within the defense industrial base. The botnet, Quad7, which has been extensively analyzed by cybersecurity firms like Sekoia and Team Cymru, primarily attacks a wide range of consumer-grade routers and VPN appliances, notably brands like TP-Link, Zyxel, Asus, Axentra, D-Link, and NETGEAR.

The recruitment of these devices into the botnet occurs by exploiting known and unidentified security flaws, which allow the malware to execute remote code. The botnet’s name derives from its ability to leverage a backdoor that listens on TCP port 7777, facilitating unauthorized access. Recent analyses suggest that Quad7’s primary function is to facilitate brute-force infiltration attempts against Microsoft 365 accounts, indicating a strong likelihood that its operators are state-sponsored actors from China.

Microsoft’s assessments emphasize that the maintainers of this botnet are based in China and that several threat groups within the country utilize it to carry out password spray attacks for subsequent computer network exploitation (CNE) strategies. This includes lateral movement within networks, deployment of remote access trojans, and various forms of data exfiltration. The collaboration between the botnet and Storm-0940 is characterized by a rapid transfer of compromised credentials, sometimes occurring on the same day they are extracted.

CovertNetwork-1658 engages in a highly methodical approach by submitting few sign-in attempts to numerous accounts within a target setting. Notably, it has been reported that in around 80 percent of cases, this botnet makes only a single sign-in attempt per account each day, which significantly reduces the likelihood of detection. The estimated number of active compromised devices within this network is around 8,000 at any given time, although only 20 percent are actively involved in the password spraying effort.

After public revelations about the botnet’s operations, Microsoft noted a marked decrease in the botnet’s infrastructure, suggesting that the threat actors may be acquiring new resources with different signatures to maintain their covert operations. Should any adversary leverage the resources aligned with CovertNetwork-1658, they could potentially execute large-scale password spraying endeavors, thereby significantly enhancing their chances of successfully compromising credentials and securing initial access to multiple organizations rapidly.

This combination of scale and the swift turnover of compromised credentials between the botnet and the Chinese threat actor enables substantial risks of account compromises spanning various sectors and geographical regions. Microsoft’s findings underscore the pressing threat posed by this sophisticated cyber activity, emphasizing the necessity for enhanced vigilance and security measures by organizations to protect against such targeted attacks.