Man
Professional
- Messages
- 3,077
- Reaction score
- 614
- Points
- 113
Since August 2023, Microsoft has recorded increased activity of Azure account hijackers using password spraying techniques. Stealthy and often successful attacks were linked to the CovertNetwork-1658 botnet, aka xlogin and Quad7 (7777).
This botnet is composed mainly of backdoored TP-Link SOHO routers that work as relays. The period of activity of the node is on average 90 days; password spraying attacks simultaneously involve about 8 thousand IP addresses, in 80% of cases each makes one hacking attempt per day.
To inject the backdoor, the attackers use vulnerabilities — which ones are not known for certain. After the exploit is processed, the device is prepared to work as a proxy:
Credentials compromised by CovertNetwork-1658 are then used to carry out targeted attacks. Compromise of target accounts in the Azure cloud allows attackers to move across the network, gain a foothold with a RAT, and proceed to steal data.
In particular, the fruits of the work of the proxy botnet are eagerly used by a cyber group operating in North America and Europe, which is tracked by Microsoft under the name Storm-0940.
In recent months, the activity of CovertNetwork-1658 has decreased significantly. Probably, bot managers were alarmed by the increased attention from the information security community (Team Cymru and Sekoia publications dedicated to Quad7), and they decided to update the infrastructure, changing their digital footprints in order to go into the shadows again.
This botnet is composed mainly of backdoored TP-Link SOHO routers that work as relays. The period of activity of the node is on average 90 days; password spraying attacks simultaneously involve about 8 thousand IP addresses, in 80% of cases each makes one hacking attempt per day.
To inject the backdoor, the attackers use vulnerabilities — which ones are not known for certain. After the exploit is processed, the device is prepared to work as a proxy:
Credentials compromised by CovertNetwork-1658 are then used to carry out targeted attacks. Compromise of target accounts in the Azure cloud allows attackers to move across the network, gain a foothold with a RAT, and proceed to steal data.
In particular, the fruits of the work of the proxy botnet are eagerly used by a cyber group operating in North America and Europe, which is tracked by Microsoft under the name Storm-0940.
In recent months, the activity of CovertNetwork-1658 has decreased significantly. Probably, bot managers were alarmed by the increased attention from the information security community (Team Cymru and Sekoia publications dedicated to Quad7), and they decided to update the infrastructure, changing their digital footprints in order to go into the shadows again.
