Microsoft observed that a covert Chinese botnet, relying on compromised TP-Link routers, commits stealthy password-spraying attacks, only attempting to access accounts once per day.
This malicious operation was discovered in August 2023 and employed an average of 8,000 compromised devices at any given time, according to a new report by Microsoft Threat Intelligence.
The botnet consists mostly of compromised small office and home office (SOHO) routers manufactured by TP-Link. Multiple IPs of legitimate users help hackers to evade detection. Therefore, Microsoft dubbed the botnet “CovertNetwork-1658,” while other researchers referred to it as “xlogin” or “Quad7.”
Multiple Chinese threat actors use the covert botnet’s password spray operations. However, the group tracked as Storm-0940 appears to be its prime user.
These hackers target think tanks, governments, and other organizations across North America and Europe. They obtain initial access “through password spray and brute-force attacks, or by exploiting or misusing network edge applications and services.“
Microsoft has observed multiple campaigns originating from the same infrastructure.
Microsoft urges organizations to strengthen their cybersecurity by enforcing strict authentication policies, such as implementing multi-factor authentication, disabling legacy authentication methods, and adopting passwordless authentication.
“CovertNetwork-1658 submits a very small number of sign-in attempts to many accounts at a target organization. In about 80% of cases, CovertNetwork-1658 makes only one sign-in attempt per account per day,” Microsoft said.
Compromised routers almost never make more than three daily attempts to gain unauthorized access. The malicious activity is particularly stealthy and difficult to monitor when combined with the rotating set of IP addresses.
“The threat actors had thousands of available IP addresses at their disposal. The average uptime for a CovertNetwork-1658 node is approximately 90 days,” the report reads.
Once researchers shed light on this network’s activities, its use has declined substantially to only hundreds of endpoints in recent months. However, Microsoft assesses that CovertNetwork-1658 is still up and running but is likely shifting to new infrastructure acquisitions and modified fingerprints from what has been publicly disclosed.
“Any threat actor using the CovertNetwork-1658 infrastructure could conduct password spraying campaigns at a larger scale and greatly increase the likelihood of successful credential compromise and initial access to multiple organizations in a short amount of time,” the Redmont researchers warn.
Once hackers gain initial access using compromised IP addresses, in later stages of the attack, they scan the network, use credential dumping tools, move laterally, attempt to access devices, install proxy tools and remote access trojans for persistence, and attempt to exfiltrate data.
Cybernews previously reported that a mysterious botnet operator is evolving tactics to compromise WiFi routers and is armed with multiple backdoors and vulnerabilities, often previously unknown.
(courtesy: Cybernews)
