Introduction
The 7777 botnet [2] [3] [4] [8] [11], also known as Quad7 and designated by Microsoft as CovertNetwork-1658, represents a significant cybersecurity threat. Allegedly linked to the Chinese government [2] [10], this botnet has compromised thousands of TP-Link routers, among other devices [4] [8], to conduct sophisticated cyberattacks, including password-spraying against Microsoft Azure accounts [2] [4] [7] [13].
Description
Thousands of TP-Link routers have been hijacked by hackers allegedly linked to the Chinese government [2] [4] [13], resulting in the formation of a botnet known as the 7777 (or Quad7) botnet [4], which Microsoft designates as CovertNetwork-1658. Initially identified by researcher Gi7w0rm and analyzed by Sekoia experts [8], this network comprises approximately 16,000 compromised devices that exploit vulnerabilities in various Small Office/Home Office (SOHO) devices, including ASUS routers, Zyxel VPN endpoints [8], Ruckus wireless routers [8], and Axentra media servers [8], as well as VPN appliances to execute remote code. These devices are utilized to conduct advanced password-spraying attacks against Microsoft Azure accounts [7] [13], leveraging stolen username and password combinations to access unbreached accounts [9]. The attackers generate a significant volume of login attempts from a rotating set of legitimate IP addresses [13], complicating detection efforts and bypassing common anti-brute force measures, such as limiting login attempts from a single IP address [9]. The strategy involves limiting attempts to one per day per account to avoid detection [9].
The designation “7777” refers to the TCP port associated with the intrusion on the affected devices [2] [13], specifically the administration port running a bind shell with root access [11]. This term was first introduced by a researcher in October 2023. Additionally, a SOCKS5 server operates on TCP port 11288 [9] [10], further enhancing the attackers’ capabilities. Discovered in August 2023 [6], the botnet has a significant concentration of compromised routers located in Bulgaria, followed by Russia [2] [4], the United States [4], and Ukraine [2] [4]. As of now, approximately 8,000 devices within the botnet remain active, and this widespread distribution complicates efforts to trace the origin of the attacks.
Microsoft Azure has previously encountered similar attacks [2], including unauthorized access to email accounts of various US government agencies [2] [4], attributed to the hacker group Storm-0558 [2] [4], also known as Storm-0940 [7]. This group reportedly leverages credentials obtained from the 7777 botnet [2], typically making only a few sign-in attempts per account daily in targeted organizations [11], indicating a potential collaboration between the hackers and the botnet operators [2]. Once inside a compromised account [2], hackers have been observed moving laterally within networks [2], gathering additional data and attempting to install backdoors for ongoing access.
The method by which these devices are being infected and integrated into the botnet remains unclear [2]. Initial access is typically achieved through password-spraying techniques [6], brute-force attacks [6] [11], and exploitation of misconfigured network applications [6]. However, it has been noted that the specialized botnet malware does not write to the storage of TP-Link devices [2], allowing for temporary disinfection through a simple reboot [2] [4]. Regularly rebooting these devices is advised to mitigate the risk of reinfection until hackers attempt to exploit the back door again. The scale of the botnet enhances the potential for successful credential compromises across various sectors and geographic areas [7], targeting a range of organizations [7], including think tanks [7], governmental and non-governmental entities [7], and law firms [1] [7]. Detection of Quad7 activity poses significant challenges [11], as the bots generally last around 90 days and utilize SOHO routers [11], complicating IP address tracking [11]. The low frequency of sign-in attempts further obscures detection efforts [11].
Cybersecurity experts have traced the proxy software used on these routers to an individual in Hangzhou [11], China [5] [11]. Once access is obtained [11], the attackers scan networks to steal login information and attempt to install remote access tools (RATs) and proxies to maintain control and exfiltrate user data [11]. Following the exposure of this network [6], its activity has significantly decreased [6], with only hundreds of endpoints operating recently [6]. However, Microsoft assesses that CovertNetwork-1658 remains functional and may be transitioning to new infrastructure [6]. In late October [6], a notable increase in malicious activity linked to this botnet was observed [6]. Microsoft warns that any actor leveraging this infrastructure could amplify password-spraying campaigns [6], increasing the likelihood of credential compromise and unauthorized access to multiple organizations [6]. To mitigate these risks [2] [6] [11], organizations are urged to implement robust cybersecurity measures [6], including multi-factor authentication [1] [6] [12], disabling outdated authentication methods [6] [12], and adopting passwordless authentication strategies [6] [11].
Conclusion
The 7777 botnet poses a substantial threat to global cybersecurity, with its ability to compromise a wide range of devices and conduct sophisticated attacks. The ongoing activity and potential evolution of this botnet underscore the need for vigilant cybersecurity practices. Organizations must prioritize robust security measures, such as multi-factor authentication and regular device reboots, to mitigate the risks associated with this and similar threats. As the botnet continues to adapt, staying informed and proactive is crucial to safeguarding sensitive information and maintaining secure networks.
References
[1] https://informationsecuritybuzz.com/microsoft-warns-major-credential-theft/
[2] https://www.pcgamer.com/hardware/tp-link-botnet-7777/
[3] https://www.avertium.com/flash-notices/quad7-botnet-exploiting-router-flaws
[4] https://www.isss.org.uk/news/hackers-hijack-over-16000-tp-link-network-devices-creating-a-big-ol-botnet-thats-absolutely-slamming-microsoft-azure-accounts/
[5] https://www.anoopcnair.com/password-spray-activity-from-covertnetwork-1658/
[6] https://i-hls.com/archives/126435
[7] https://www.pcworld.com/article/2509553/thousands-of-hacked-tp-link-routers-being-used-to-hijack-azure-accounts.html
[8] https://www.newsbytesapp.com/news/science/microsoft-exposes-chinese-botnet-quad7-s-global-cyber-espionage-campaign/story
[9] https://www.hdblog.it/microsoft/articoli/n598206/microsoft-botnet-tp-link-router-hack-azure/
[10] https://www.fudzilla.com/news/60021-chinese-hackers-deploy-botnet
[11] https://hostingdailynews.com/cybersecurity/microsoft-security-alert-chinese-botnet-quad7-attacking-users-globally/
[12] https://www.speedguide.net/news/thousands-of-hacked-tp-link-routers-being-used-8458
[13] https://uktechhub.com/forums/topic/hackers-hijack-over-16000-tp-link-network-devices-creating-a-big-ol-botnet/
