Microsoft Issues Warning on Quad7 Botnet Linked to China
/ 4 min read
Quick take - Microsoft has issued a warning about the Quad7 botnet, linked to the Chinese threat actor Storm-0940, which conducts password-spray attacks to steal credentials from various online platforms, particularly targeting Small Office/Home Office devices and VPN appliances.
Fast Facts
- Microsoft warns of the Quad7 botnet, linked to the Chinese threat actor Storm-0940, which conducts password-spray attacks to steal credentials from online platforms, including Microsoft 365.
- The botnet targets Small Office/Home Office (SOHO) devices and VPN appliances, exploiting both known and unknown vulnerabilities in popular brands like TP-LINK, Zyxel, and Asus.
- Five login clusters associated with the botnet have been identified, with varying sizes and targets, including compromised TP-Link routers that facilitate brute-force attacks.
- Storm-0940 employs techniques such as password spraying and brute-force attacks, focusing on sectors like government and NGOs in North America and Europe.
- Microsoft advises organizations to enhance credential hygiene and strengthen cloud identities to defend against these ongoing password-spray attacks.
Microsoft Warns of Quad7 Botnet Linked to Chinese Threat Actors
Microsoft has issued a warning regarding the Quad7 botnet, which is associated with Chinese threat actors, specifically the group known as Storm-0940. This botnet is primarily utilized for password-spray attacks aimed at stealing credentials from various online platforms, including Microsoft 365 accounts.
Discovery and Evolution of Quad7
The Quad7 botnet, also referred to as CovertNetwork-1658 or xlogin, was first identified in the summer of 2023 by security researcher Gi7w0rm. In September 2024, a report from the Sekoia TDR team revealed the discovery of additional implants associated with Quad7 operations, indicating an evolution in the botnet’s capabilities. The Quad7 botnet targets a range of Small Office/Home Office (SOHO) devices and VPN appliances, including popular brands such as TP-LINK, Zyxel, Asus, D-Link, and Netgear. It exploits both known and previously undiscovered vulnerabilities and conducts distributed brute-force attacks on various protocols, including Telnet, SSH, and Microsoft 365 accounts.
Login Clusters and Targeted Devices
A recent report by Sekoia highlighted the identification of multiple staging servers and new targets connected to the Quad7 threat actor. Five distinct login clusters associated with the botnet operators have been identified: alogin, xlogin, axlogin, rlogin, and zylogin. Each cluster targets specific devices. For example, compromised TP-Link routers form the backbone of the botnet, utilizing open ports for administration that facilitate brute-force attacks. Other clusters, such as alogin and rlogin, target Asus routers and Ruckus Wireless devices, respectively. The alogin and xlogin clusters are notably large, with thousands of compromised devices, while the rlogin cluster consists of 213 compromised devices. Variants like axlogin and zylogin target Axentra NAS and Zyxel VPNs but are smaller and less frequently observed.
Threat Actor and Recommendations
Microsoft has linked the Chinese threat actor Storm-0940 to the utilization of credentials obtained through CovertNetwork-1658. Active since 2021, Storm-0940 employs a variety of techniques, including password spraying, brute-force attacks, and exploitation of network edge services. The group focuses on sectors such as government, law, defense, and NGOs in North America and Europe. Microsoft has notified affected customers about the Quad7 botnet and the tactics employed by Storm-0940, offering recommended mitigations for securing affected environments.
A report from Microsoft indicates that a threat actor in China established and maintains the Quad7 network, exploiting vulnerabilities in routers to achieve remote code execution. The company assesses that multiple Chinese threat actors are utilizing credentials acquired from CovertNetwork-1658 for computer network exploitation (CNE) activities. Password spray campaigns typically involve a limited number of sign-in attempts across numerous accounts within a target organization, with CovertNetwork-1658 often making just one sign-in attempt per account per day in approximately 80% of cases.
CovertNetwork-1658 is challenging to track due to its use of compromised SOHO IPs, employing a rotating pool of thousands of IP addresses that remain active for about 90 days. Additionally, it utilizes low-volume password sprays that evade standard detection methods. Microsoft has noted that CovertNetwork-1658 continues its operations, with the threat actor possibly acquiring new infrastructure with modified fingerprints, indicating ongoing activity.
After gaining access to a victim’s environment, Storm-0940 has been observed utilizing scanning and credential dumping tools for lateral movement. The group installs proxy tools and Remote Access Trojans (RATs) for persistence and attempts data exfiltration from compromised systems. Microsoft recommends that organizations enhance their credential hygiene and strengthen cloud identities as crucial defenses against password spraying attacks.
Original Source: Read the Full Article Here
