Introduction

Microsoft has identified a Chinese threat actor [1] [2] [6] [10] [11], Storm-0940 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12], linked to the botnet CovertNetwork-1658 [11], also known as xlogin and Quad7 (7777) [12]. This group has been active since at least 2021 and is responsible for sophisticated cyberattacks targeting Microsoft customers through compromised SOHO routers.

Description

Microsoft has identified a Chinese threat actor known as Storm-0940 [1] [2] [6] [10] [11], which has been active since at least 2021 and is linked to the botnet CovertNetwork-1658, also referred to as xlogin and Quad7 (7777) [12]. This group utilizes the Quad7 botnet [8], comprised of approximately 8,000 compromised SOHO routers from manufacturers such as TP-Link, Asus [2] [10], Zyxel [1] [2] [3] [5] [10], Axentra [1] [2] [3] [5] [10], and Ruckus, to conduct sophisticated password spray attacks aimed at credential theft [2]. Since August 2023 [12], these attacks have successfully targeted multiple Microsoft customers [12], utilizing credentials obtained from the covert network [4] [12]. The Quad7 botnet exploits both known and unidentified security vulnerabilities in SOHO routers and VPN appliances, including a zero-day vulnerability in OpenWRT [5], a widely used open-source router operating system [5], to achieve remote code execution and gain unauthorized access to the routers.

Storm-0940 employs a strategy of limiting its sign-in attempts to a single attempt per account per day, complicating detection efforts [6]. Once access is gained [5] [6], the attackers quickly infiltrate the network [5], dump credentials [1] [2] [3] [4] [5] [6] [7] [8] [9] [10], deploy Remote Access Trojans (RATs) [1] [4] [5] [6] [9], and upload proxy tools for persistence, often infiltrating targeted organizations [2] [10], including think tanks and law firms in North America and Europe, on the same day that valid credentials are acquired. The botnet has been observed conducting brute-force attacks against Microsoft 365 accounts, indicating a likely affiliation with state-sponsored groups from China [2].

Despite a reported decline in the use of CovertNetwork-1658’s original infrastructure [4], Microsoft believes it remains operational [4], with threat actors likely acquiring new infrastructure with modified fingerprints to evade detection [3]. Increased scrutiny from security researchers has led Quad7 operators to enhance their stealth tactics [3], including recent activities that involve compromising Zyxel VPN endpoints and Ruckus wireless routers. The average lifespan of a Quad7 bot is approximately 90 days, complicating monitoring efforts [3] [6]. Following public disclosure [10], the infrastructure of Quad7 has also experienced a significant decline, suggesting that the threat actors may be adapting their tactics.

Conclusion

The activities of Storm-0940 highlight the persistent threat posed by state-sponsored cyber actors. Organizations are advised to enhance credential hygiene [6], disable legacy authentication [3], and strengthen cloud identities to mitigate these threats. The potential for large-scale password spraying campaigns increases the likelihood of successful credential compromises across various sectors and regions [10]. While specific preventive measures for devices like TP-Link routers have not been provided [4], experts recommend periodically rebooting these devices for temporary disinfection and adopting password-less verification methods to further secure accounts. Microsoft continues to work on raising awareness and improving defenses against such highly evasive intrusion activities [12], underscoring the need for ongoing vigilance and adaptation in cybersecurity strategies.

References

[1] https://heimdalsecurity.com/blog/microsoft-chinese-threat-actors-botnet-credential-theft/
[2] https://www.isss.org.uk/news/microsoft-warns-of-chinese-botnet-exploiting-router-flaws-for-credential-theft/
[3] https://www.govinfosecurity.com/chinese-hackers-use-quad7-botnet-for-credential-theft-a-26709
[4] https://www.techspot.com/news/105414-tp-link-routers-center-massive-botnet-used-takeover.html
[5] https://cybermaterial.com/quad7-botnet-targets-routers-for-theft/
[6] https://securityaffairs.com/170503/malware/quad7-botnet-used-by-chinese-threat-actors.html
[7] https://arstechnica.com/information-technology/2024/11/microsoft-warns-of-8000-strong-botnet-used-in-password-spraying-attacks/
[8] https://thenimblenerd.com/article/microsofts-password-panic-chinese-botnet-quad7-wreaks-havoc/
[9] https://www.techradar.com/pro/security/microsoft-reveals-major-chinese-botnet-is-attacking-users-across-the-world
[10] https://thehackernews.com/2024/11/microsoft-warns-of-chinese-botnet.html
[11] https://www.bankinfosecurity.com/chinese-hackers-use-quad7-botnet-for-credential-theft-a-26709
[12] https://www.cybersecurity-review.com/chinese-threat-actor-storm-0940-uses-credentials-from-password-spray-attacks-from-a-covert-network/