Microsoft has revealed that a Chinese threat actor it tracks as Storm-0940 is leveraging a botnet called Quad7 to orchestrate highly evasive password spray attacks.
The tech giant has given the botnet the name CovertNetwork-1658, stating the password spray operations are used to steal credentials from multiple Microsoft customers.
“Active since at least 2021, Storm-0940 obtains initial access through password spray and brute-force attacks, or by exploiting or misusing network edge applications and services,” the Microsoft Threat Intelligence team said.
“Storm-0940 is known to target organizations in North America and Europe, including think tanks, government organizations, non-governmental organizations, law firms, defense industrial base, and others.”
Quad7, aka 7777 or xlogin, has been the subject of extensive analyses by Sekoia and Team Cymru in recent months. The botnet malware has been observed targeting several brands of SOHO routers and VPN appliances, including TP-Link, Zyxel, Asus, Axentra, D-Link, and NETGEAR.
These devices are recruited by exploiting known and as-yet-undetermined security flaws to gain remote code execution capabilities. The botnet’s name is a reference to the fact that the routers are infected with a backdoor that listens on TCP port 7777 to facilitate remote access.
Sekoia told The Hacker News in September 2024 the botnet is being mainly used to perform brute-force attempts against Microsoft 365 accounts, adding the operators are likely Chinese state-sponsored actors.
Microsoft has also assessed that the botnet maintainers are located in China, and that multiple threat actors from the country are using the botnet to conduct password spray attacks for follow-on computer network exploitation (CNE) activities, such as lateral movement, deployment of remote access trojans, and data exfiltration attempts.
This includes Storm-0940, which it said has infiltrated target organizations using valid credentials obtained via the password spray attacks, in some cases on the same day the credentials were extracted. The “quick operational hand-off” implies a close collaboration between the botnet operators and Storm-0940, the company pointed out.
“CovertNetwork-1658 submits a very small number of sign-in attempts to many accounts at a target organization,” Microsoft said. “In about 80 percent of cases, CovertNetwork-1658 makes only one sign-in attempt per account per day.”
As many as 8,000 compromised devices are estimated to be active in the network at any given point of time, although only 20 percent of those devices are involved in password spraying.
The Windows maker also warned that the botnet infrastructure has witnessed a “steady and steep decline” following public disclosure, raising the possibility that the threat actors are “likely acquiring new infrastructure with modified fingerprints” to evade detection.
“Any threat actor using the CovertNetwork-1658 infrastructure could conduct password spraying campaigns at a larger scale and greatly increase the likelihood of successful credential compromise and initial access to multiple organizations in a short amount of time,” Microsoft noted.
“This scale, combined with quick operational turnover of compromised credentials between CovertNetwork-1658 and Chinese threat actors, allows for the potential of account compromises across multiple sectors and geographic regions.”
