Microsoft Warning: Chinese Hackers Exploiting Router Flaws
As per recent reports, a Microsoft warning has mentioned that a Chinese threat actor, being tracked as Strom-0940, was identified leveraging a botnet called CovertNetwork-1658. Experts believe that the botnet is being used to conduct password spray attacks. In this article, we’ll dive into the details of the botnet and uncover recommended mitigation measures. Let’s begin!
Microsoft Warning: Initial Botnet Discovery
Microsoft initially observed intrusion activity pertaining to the botnet back in August 2023. At that time it was pointed out that multiple Microsoft customers were being targeted with password spray attacks and their credentials were being stolen successfully. In the most recent Microsoft warning, the tech giant has linked the source of these password attacks to a network of compromised devices.
This botnet, being used by the Chinese threat actor, is being tracked as CovertNetwork-1658. Before we go into further detail, it’s worth mentioning that the botnet is also referred to as xlogin and Quad7. In addition, Microsoft has also mentioned that the credentials acquired from CovertNetwork-1658 are used by numerous Chinese threat actors like Strom-0940.
What Is CovertNetwork-1658?
The CovertNetwork is a phrase that Microsoft uses for referring to collections of IPs that either be compromised or leased. It’s worth noting that these IP addresses are ones that are likely being used by one or more Chinese threat actors.
CovertNetwork-1658 refers to small office and home office (SOHO) routers. The recently issued Microsoft warning details that this network of compromised routers is owned and operated by a threat actor in China. Providing further insights, an excerpt from the Microsoft warning reads:
“The threat actor exploits a vulnerability in the routers to gain remote code execution capability. We continue to investigate the specific exploit by which this threat actor compromises these routers. Microsoft assesses that multiple Chinese threat actors use the credentials acquired from CovertNetwork-1658 password spray operations to perform computer network exploitation (CNE) activities.”
Targeted Devices And Entities
Team Cymru and Sekoia have also been involved in extensively analyzing Quad7 (7777) in recent months. The cybersecurity firms have stated that the Storm-0940 threat actor has been leveraging routers and VPN appliances from several brands for carrying out their malicious intentions. These brands include:
- TP-Link.
- Zyxel.
- Asus.
- Axentra.
- D-Link.
- NETGEAR.
As far as the targeted entries are concerned, the Chinese threat actor named in the Microsoft warning mainly looks to attack potential victims in North America and Europe. The targeted organizations belong to various sectors that include:
- Think tanks.
- Government organizations.
- Non-governmental organizations.
- Defense industrial base.
- Law firms.
CovertNetwork-1658: Password Spray Attacks Infrastructure
The tech giant has been keen on providing insights pertaining to the attack infrastructure in Microsoft warning. It had been mentioned that, the threat actor, in the observed campaigns, only submits a very small amount of log-in attempts to numerous compromised accounts belonging to a target organization.
The number of log-in attempts and their percentage of prevalence per account each day are mentioned below:
Number Of Attempts | Approximate Percentage Of Prevalence |
1 Attempt | Around 80% |
2 Attempts | In between 10% to 20% |
3 Attempts | In between 0% to 10% |
4 Attempts | 0% |
It’s worth mentioning that the CovertNetwork-1658 infrastructure is difficult to observe due to various challenges listed out in the Microsoft warning. The challenges include:
- Compromised IP addresses.
- Low volume password spray process.
- Use of a rotating set of IP addresses.
Commenting on how the threat actor acquires initial access, Microsoft has stated that:
“Storm-0940 obtains initial access through password spray and brute-force attacks, or by exploiting or misusing network edge applications and services.”
Post Exploit Actions And Activities
Once unauthorized access to a vulnerable router is acquired, a series of malicious actions are taken to ensure that the router is ready for password spray operations. Details mentioned in the Microsoft warning entail that the password spray campaigns originate from compromised devices. The malicious actions initiated upon initial access include:
- Downloading Telnet binary stored in a remote File Transfer Protocol (FTP) server.
- Downloading xlogin backdoor binary stored in a remote FTP server.
- Utilizing the downloaded Telnet and xlogin binaries for starting an access-controlled command shell on TCP port 7777.
- Connecting and authenticating to the xlogin backdoor listening on TCP port 7777.
- Downloading a SOCKS5 server binary to the router.
- Starting SOCKS5 server on TCP port 11288.
Strom-0940 has, on multiple occasions, been observed targeting organizations while leveraging credentials acquired via the CovertNetwork-1658’s password spray operations. During some of the attacks, the compromised credentials were utilized on the same day. Once access to the victim’s environment is acquired, some of the malicious activities that are initiated include:
- Attempts to exfiltrate data stored on compromised systems.
- The use of scanning and credential dumping tools for lateral movement within the network.
- Attempts of accessing network devices for installing proxy tools and remote access trojans (RATs) for increased persistence.
Commenting on the attack infrastructure and credential turnover, Microsoft has stated that:
“Any threat actor using the CovertNetwork-1658 infrastructure could conduct password spraying campaigns at a larger scale and greatly increase the likelihood of successful credential compromise and initial access to multiple organizations in a short amount of time. This scale, combined with quick operational turnover of compromised credentials between CovertNetwork-1658 and Chinese threat actors, allows for the potential of account compromises across multiple sectors and geographic regions.”
Security Protocols For Risk Mitigation
Given the severity of password spraying attacks, comprehending the security measures that need to be deployed to ensure protection is essential. The fundamentals of these protocols lie in developing credential hygiene and strengthening cloud identities. Some of the key security recommendations that the Microsoft warning mentions include:
- Educating users on the importance of ensuring credential hygiene.
- Implementing multi-factor authentication (MFA) on all accounts.
- Transitioning to passwordless primary authentication.
- Using Secure Remote Desktop Protocol (RDP) or Windows Virtual Desktop endpoints alongside MFA.
- Disabling legacy authentication protocols.
- Resetting credentials for accounts that have been targeted during an attack.
- Creating credential access policies based on defined criteria.
- Using Azure AD alongside conditional access policies for blocking legacy authentication protocols.
- Deploying the principle of least privilege.
- Auditing privileged accounts.
In addition, those keen on ensuring protection should also focus on identifying failed login attempts and the IP addresses from which they originated. Users should also refrain from using passwords and password variants that are weak and use identity protection protocols. It’s worth noting that Microsoft has pointed out a decrease in the use of CovertNetwork-1658.
Based on the recent frequency of such malicious activities, the decrease is evident. However, it does not entail that the hacker operations have ended. The tech giant has stated that threat actors are likely acquiring infrastructure with modified fingerprints to avoid those that have now been publicly disclosed.
Conclusion
The recent Microsoft warning emphasizes the persistent and sophisticated nature of the threats posed by Chinese threat actors, like Storm-0940. Such online criminals are known for leveraging the CovertNetwork-1658 botnet. By exploiting vulnerabilities in routers and VPN devices, these actors conduct password spray attacks and gain unauthorized access to sensitive information.
Their main targets include various organizations across North America and Europe. To defend against such threats, organizations must prioritize credential hygiene, implement robust multi-factor authentication, and adhere to a proactive security approach. Staying vigilant and proactive in adapting to new attack strategies is essential in mitigating risks posed by evolving cyber threats.
The sources for this piece include articles in The Hacker News and Microsoft.