Chinese Hackers Use Quad7 Botnet for Credential Theft
Hackers Using Password Spraying to Steal User Microsoft Account CredentialsMultiple Chinese hacking groups are using a botnet named for a TCP routing port number to conduct password spraying attacks, warned Microsoft Thursday.
See Also: Securing the Cloud, One Identity at a Time
The 7777 - or Quad7 - botnet on average consists of 8,000 hacked devices, the bulk of them TP-Linm routers for use in small office or homes. The botnet, also known as xlogin, appears to have emerged in 2023.
Microsoft tracks the botnet as CovertNetwork-1658 and said Thursday the Chinese threat actor it tracks as Storm-0940 figures prominently in the wave of password spray attacks it detected.
In some cases, Storm-0940 used a credential brute forced by the Quad7 botnet the same day as its theft. "This quick operational hand-off of compromised credentials is evidence of a likely close working relationship between the operators of CovertNetwork-1658 and Storm-0940," the computing giant said. The Quad7 operators are almost certainly located in China, it added.
The password spraying campaign is still active, which Microsoft warning that botnet operators are "likely acquiring new infrastructure with modified fingerprints."
Greater attention onto the Quad7 botnet by security researchers apparently nudged its operators in recent months into taking steps to hide their infrastructure. Cybersecurity firm Sekoia in September said botnet operators apparently were also compromising Zyxel VPN endpoints, Ruckus wireless routers and Axentra network-attached storage devices (see: Quad7 Botnet Operators Expand Targets, Aim for Stealth).
Botnet operators are careful with their compromised routers, submitting only "a very small number of sign attempts to many accounts at a target organization," Microsoft said. "In about 80 percent of cases, CovertNetwork-1658 makes only one sign-in attempt per account per day."
Quad7 activity can be difficult to monitor since the average lifespan of a bot is only approximately 90 days, Microsoft said. Its use of SOHO routers as bots means there's no central IP address to track and the low volume of spray attacks means that monitoring for multiple sign-in attempts from one IP address won't detect the bot.
Storm-0940 has been active since 2021 and uses hacked credentials for activities including lateral movement within intranets, uploading proxy tools and remote access Trojans and - of course, exfiltrating data.
Microsoft recommends disabling legacy authentication and relying on password-less verification. It also recommends disabling unused accounts.