Hackers working on behalf of the Chinese government are using a botnet of hundreds of routers, cameras, and other Web-connected devices to perform highly evasive password spray attacks against users of Microsoft’s Azure cloud service, the corporate warned Thursday.
The malicious network, made up almost entirely of TP-Link routers, was first documented in October 2023 by a researcher who named it Botnet-7777. The geographically dispersed collection of greater than 16,000 compromised devices at its peak got its name since it exposes its malicious malware on port 7777.
Account compromise at scale
In July and again in August of this 12 months, security researchers from Serbia and Team Cymru reported the botnet was still operational. All three reports said that Botnet-7777 was getting used to skillfully perform password spraying, a type of attack that sends large numbers of login attempts from many various IP addresses. Because each individual device limits the login attempts, the fastidiously coordinated account-takeover campaign is tough to detect by the targeted service.
On Thursday, Microsoft reported that CovertNetwork-1658—the name Microsoft uses to trace the botnet—is getting used by multiple Chinese threat actors in an try to compromise targeted Azure accounts. The corporate said the attacks are “highly evasive” since the botnet—now estimated at about 8,000 strong on average—takes pains to hide the malicious activity.
“Any threat actor using the CovertNetwork-1658 infrastructure could conduct password spraying campaigns at a bigger scale and greatly increase the likelihood of successful credential compromise and initial access to multiple organizations in a brief period of time,” Microsoft officials wrote. “This scale, combined with quick operational turnover of compromised credentials between CovertNetwork-1658 and Chinese threat actors, allows for the potential of account compromises across multiple sectors and geographic regions.
Among the characteristics that make detection difficult are:
- Using compromised SOHO IP addresses
- Using a rotating set of IP addresses at any given time. The threat actors had hundreds of obtainable IP addresses at their disposal. The common uptime for a CovertNetwork-1658 node is roughly 90 days.
- The low-volume password spray process; for instance, monitoring for multiple failed sign-in attempts from one IP address or to at least one account is not going to detect this activity.
