Microsoft Security Alert: Chinese Botnet Quad7 Attacking Users Globally
Chinese threat actors are stealing credentials in password-spray attacks by using the Quad7 (7777) botnet, warned Microsoft experts on Thursday.
About Quad7 Botnet
The Quad7 botnet, also known as the 7777 botnet or xlogin botnet, is made up of hacked TP-Link routers. These routers have two open ports TELNET/7777 and 11288 opened. The 7777 port is the administration port that runs a bind shell with root access, called xlogin that requires a password to use. The 11288 port acts as a Socks5 proxy, which is also password protected and is used to help with brute force attacks on M365 accounts.
Chinese Threat Actor Storm-0940
“Active since at least 2021, Storm-0940 obtains initial access through password spray and brute-force attacks, or by exploiting or misusing network edge applications and services,” the Microsoft Threat Intelligence team said. “Storm-0940 is known to target organizations in North America and Europe, including think tanks, government organizations, non-governmental organizations, law firms, defense industrial base, and others.”
Microsoft’s Investigation
Microsoft tracks the botnet as CovertNetwork-1658 that has been exploiting router flaws to steal credentials from multiple Microsoft customers. This botnet threat has compromised routers from major manufacturers, including TP-Link, Zyxel, Asus, Axentra, D-Link and NETGEAR. Microsoft has seen Chinese threat actor Storm-0940 utilizing CovertNetwork-1658 credentials.
“In these campaigns, CovertNetwork-1658 submits a very small number of sign-in attempts to many accounts at a target organization,” a report states.
“In about 80 percent of cases, CovertNetwork-1658 makes only one sign-in attempt per account per day.”
Challenges in Detection
According to Microsoft, monitoring Quad7 activity can be really challenging because most bots only last for about 90 days. These bots use SOHO routers, which means there isn’t a central IP address to track. Also, detecting the bot becomes difficult because of the low number of spray attacks that makes it hard to notice multiple sign-in attempts from a single IP address.
Malware and Remote Access
Threat actors are using a specially designed botnet malware to remotely access the compromised devices via Telnet, targeting different clusters including xlogin, alogin, rlogin, and others. The cybersecurity experts tracked the proxy software used on these routers to a user living in Hangzhou, China.
After successfully gaining access to a victim’s system, the threat actors are using tools to scan the network and steal login information to move around. They are also trying to access network devices to install RATs and proxies that provide remote access and help them stay in the system, attempting to steal users’ data.
Keeping in view this Chinese cyber-attack, Microsoft has recommended disabling legacy authentication and relying on password-less verification.
Related News:
‘Satanic’ Hacker Allegedly Steals Information of 350M Hot Topic Customers
Cloudflare’s Threat report Q3 2024: 6 million attacks across 330 cities
Malicious WordPress Plugins Infect Sites with Data-Thieving Malware