Microsoft Issues a Warning About a Chinese Botnet That Is Using Router Vulnerabilities to Steal Credentials

Microsoft has disclosed that Storm-0940, a Chinese threat actor it monitors, is using a botnet known as Quad7 to plan extremely evasive password spray attacks. The IT giant claims that the password spray operations are used to steal credentials from numerous Microsoft customers, and has named the botnet CovertNetwork-1658.

Microsoft Issues a Warning About a Chinese Botnet That Is Using Router Vulnerabilities to Steal Credentials

Microsoft has disclosed that Storm-0940, a Chinese threat actor it monitors, is using a botnet known as Quad7 to plan extremely evasive password spray attacks. The IT giant claims that the password spray operations are used to steal credentials from numerous Microsoft customers, and has named the botnet CovertNetwork-1658.

"Active since at least 2021, Storm-0940 obtains initial access through password spray and brute-force attacks, or by exploiting or misusing network edge applications and services," the researchers at Microsoft claimed. "Storm-0940 is known to target organizations in North America and Europe, including think tanks, government organizations, non-governmental organizations, law firms, defense industrial base, and others."

In recent months, Sekoia and Team Cymru have conducted in-depth examinations of Quad7, often known as 7777 or xlogin. Numerous brands of SOHO routers and VPN appliances, including TP-Link, Zyxel, Asus, Axentra, D-Link, and NETGEAR, have been seen to be targeted by botnet malware. In order to obtain remote code execution capabilities, these devices are enlisted by taking advantage of known and unknown security weaknesses. The name of the botnet alludes to the routers' infection with a backdoor that allows remote access by listening on TCP port 7777.

In September 2024, Sekoia told The Hacker News that the botnet is mostly being used to execute brute-force attacks against Microsoft 365 accounts and that the operators are probably state-sponsored actors from China. 

According to Microsoft, the botnet's maintainers are based in China, and the botnet is being used by a number of Chinese threat actors to carry out password spray attacks for subsequent computer network exploitation (CNE) activities, including data exfiltration attempts, lateral movement, and the deployment of remote access trojans.

This includes Storm-0940, which allegedly used legitimate credentials acquired through password spray assaults to enter target businesses, sometimes even on the same day the credentials were collected. The organization said that the "quick operational hand-off" suggests that Storm-0940 and the botnet operators worked closely together.

"CovertNetwork-1658 submits a very small number of sign-in attempts to many accounts at a target organization," Microsoft stated. Approximately 80% of the time, CovertNetwork-1658 only makes one sign-in attempt per account per day." 

Although only 20% of hacked devices are used for password spraying, it is believed that up to 8,000 affected devices are always active on the network.

In addition, the Windows manufacturer cautioned that the botnet infrastructure has seen a "steady and steep decline" since it was made public, suggesting that the threat actors may be "likely acquiring new infrastructure with modified fingerprints" to avoid scrutiny.

"Any threat actor using the CovertNetwork-1658 infrastructure could conduct password spraying campaigns at a larger scale and greatly increase the likelihood of successful credential compromise and initial access to multiple organizations in a short amount of time," Microsoft stated. "This scale, combined with quick operational turnover of compromised credentials between CovertNetwork-1658 and Chinese threat actors, allows for the potential of account compromises across multiple sectors and geographic regions."