• Cyber Syrup
  • Posts
  • Microsoft Warns That A Chinese BotNet Is Exploiting Router Flaws

Microsoft Warns That A Chinese BotNet Is Exploiting Router Flaws

Microsoft has identified a new cyber threat from the Chinese-based threat actor Storm-0940, which is deploying a botnet called Quad7 to launch evasive password spray attacks

November 04, 2024

In partnership with

CYBER SYRUP
Delivering the sweetest insights on cybersecurity.

Learn AI in 5 minutes a day.

The Rundown is the world’s most trusted AI newsletter, with over 700,000+ readers staying up-to-date with the latest AI news, understanding why it matters, and learning how to apply it in their work.

Their expert research team spends all day learning what’s new in AI, then distills the most important developments into one free email every morning.

Microsoft Warns That A Chinese BotNet Is Exploiting Router Flaws

Microsoft has identified a new cyber threat from the Chinese-based threat actor Storm-0940, which is deploying a botnet called Quad7 to launch evasive password spray attacks. Known within Microsoft as CovertNetwork-1658, this botnet is used to steal credentials from multiple accounts and gain access to high-value networks. Microsoft has observed that these password spray attacks target critical sectors across North America and Europe.

Who is at Risk?

Organizations targeted by Storm-0940 include:

  • Think Tanks and Government Bodies: Targeting research institutions, policy think tanks, and government agencies in North America and Europe.

  • Non-Governmental Organizations (NGOs): Focusing on groups handling sensitive international or civil society data.

  • Defense and Industrial Sectors: Engaging companies involved in military tech, engineering, and industrial manufacturing.

  • Law Firms and Private Sector Enterprises: Particularly those dealing with confidential client information or intellectual property.

Microsoft estimates that up to 8,000 compromised devices are active within the botnet at any given time, though only 20% are regularly engaged in password spray attacks.

Understanding the Quad7 Botnet

The Quad7 botnet, also known as 7777 or xlogin, targets various consumer and small office/home office (SOHO) routers and VPN appliances by exploiting known vulnerabilities. Popular brands impacted include:

  • TP-Link, Zyxel, Asus, Axentra, D-Link, and NETGEAR.

Once compromised, these devices become part of the botnet, with a backdoor listening on TCP port 7777 to enable remote access. This access allows the botnet to carry out highly targeted brute-force attacks. Security researchers, including those from Sekoia and Team Cymru, have linked Quad7’s activity to Chinese state-sponsored actors targeting Microsoft 365 accounts.

Microsoft’s analysis also highlights that the botnet maintains a rapid operational pace. When Storm-0940 acquires valid login credentials through Quad7, the group often uses them to access the target’s network almost immediately, indicating close collaboration between the botnet operators and the threat actor.

How to Protect Yourself

1. Strengthen Password Policies

  • Require Strong Passwords: Enforce unique, complex passwords using a mix of letters, numbers, and symbols.

  • Implement Account Lockouts: Set up account lockout policies after multiple failed login attempts to deter brute-force attacks.

2. Use Multi-Factor Authentication (MFA)

  • Enabling MFA adds an additional layer of security, requiring a secondary form of identification for access. This makes it significantly harder for attackers to compromise accounts even if they have stolen credentials.

3. Monitor for Suspicious Login Activity

  • Track and review login patterns to identify potential password spray activity, such as multiple failed attempts from a single IP or logins from distant geographic locations.

  • Implement log monitoring solutions that send alerts for unusual login behaviors, like single sign-in attempts across multiple accounts within a short timeframe.

4. Regularly Update Network Devices

  • Ensure that all routers, VPNs, and network devices are running updated firmware to prevent known vulnerabilities from being exploited.

  • Disable unnecessary ports and services on network devices, specifically TCP port 7777 if it is not needed.

5. Limit Exposure of Sensitive Systems

  • Restrict access to key network assets, such as Microsoft 365 accounts, by using IP whitelisting or network segmentation.

  • Consider using virtual private networks (VPNs) for secure access rather than directly exposing sensitive resources to the internet.

Microsoft’s Recommendations

Microsoft notes that since the Quad7 botnet’s activity was made public, there has been a decline in its infrastructure. However, Microsoft warns that threat actors may be acquiring new infrastructure and modifying their approach to avoid detection.

Microsoft advises organizations to:

  • Stay Vigilant: Regularly monitor security updates and patches.

  • Implement Best Practices: Utilize tools like Microsoft Secure Score and follow Microsoft’s Zero Trust security model for continuous verification and least-privilege access.

  • Stay Informed: Keep up-to-date with Microsoft’s guidance and any threat intelligence updates related to Quad7 or similar botnets.

Conclusion

The emergence of the Quad7 botnet highlights the evolving threat landscape, where state-sponsored actors can deploy sophisticated, botnet-backed attacks on a large scale. Proactive defenses, such as strong authentication practices, constant monitoring, and robust security policies, are essential to counter these threats. By staying alert and reinforcing security protocols, organizations can protect themselves against the growing risk posed by these advanced and targeted attacks.