Friend
Professional
- Messages
- 2,653
- Reaction score
- 849
- Points
- 113
The combination of old vulnerabilities and new methods affects thousands of devices.
Researchers from Sekoia reported on the evolution of the Quad7 botnet, which began to attack new devices, including Axentra media servers, Ruckus wireless routers, and Zyxel VPN devices. Attackers are actively exploiting vulnerabilities in SOHO and VPN devices such as TP-Link, Zyxel, Asus, D-Link, and Netgear to hack them and add them to the botnet's network.
According to experts, the Quad7 botnet is used to carry out distributed brute force attacks on VPN, Telnet, SSH, and Microsoft 365 accounts. A recent report by Sekoia also revealed the presence of new servers operating the botnet and new targets among network devices.
Botnet operators have identified five separate groups of devices (alogin, xlogin, axlogin, rlogin, and zylogin), each of which attacks specific types of equipment. For example, alogin targets Asus routers, while rlogin attacks Ruckus Wireless devices. While the alogin and xlogin groups covered thousands of devices, rlogin only affected 213 devices, making it smaller but still dangerous. Other groups, such as axlogin and zylogin, focus on the Axentra NAS and Zyxel's VPN.
A distinctive feature of Quad7 is the use of captured TP-Link routers, which attackers use to attack Microsoft 365. These devices are open to remote administration and proxy connections, which makes it easier to carry out attacks.
Researchers also discovered a new backdoor, which was named UPDTAE due to a typo in the code. It allows you to remotely control infected devices via HTTP reverse connections, which gives attackers full control over equipment.
In recent months, Quad7 operators have improved their botnet management tactics by shifting to more stealthy ways of transmitting data. Instead of using open SOCKS proxies, they began to use the KCP protocol, which allows faster communication over UDP, although it requires more bandwidth. The new FsyNet tool allows you to hide traffic and makes it difficult to detect.
Experts emphasize that the Quad7 botnet is actively adapting to the new conditions. Bugs in the past, such as poorly written code and the use of open proxies, made it vulnerable to detection. Now, however, botnet operators are learning from their mistakes, improving their cloaking techniques and avoiding detection.
Source
Researchers from Sekoia reported on the evolution of the Quad7 botnet, which began to attack new devices, including Axentra media servers, Ruckus wireless routers, and Zyxel VPN devices. Attackers are actively exploiting vulnerabilities in SOHO and VPN devices such as TP-Link, Zyxel, Asus, D-Link, and Netgear to hack them and add them to the botnet's network.
According to experts, the Quad7 botnet is used to carry out distributed brute force attacks on VPN, Telnet, SSH, and Microsoft 365 accounts. A recent report by Sekoia also revealed the presence of new servers operating the botnet and new targets among network devices.
Botnet operators have identified five separate groups of devices (alogin, xlogin, axlogin, rlogin, and zylogin), each of which attacks specific types of equipment. For example, alogin targets Asus routers, while rlogin attacks Ruckus Wireless devices. While the alogin and xlogin groups covered thousands of devices, rlogin only affected 213 devices, making it smaller but still dangerous. Other groups, such as axlogin and zylogin, focus on the Axentra NAS and Zyxel's VPN.
A distinctive feature of Quad7 is the use of captured TP-Link routers, which attackers use to attack Microsoft 365. These devices are open to remote administration and proxy connections, which makes it easier to carry out attacks.
Researchers also discovered a new backdoor, which was named UPDTAE due to a typo in the code. It allows you to remotely control infected devices via HTTP reverse connections, which gives attackers full control over equipment.
In recent months, Quad7 operators have improved their botnet management tactics by shifting to more stealthy ways of transmitting data. Instead of using open SOCKS proxies, they began to use the KCP protocol, which allows faster communication over UDP, although it requires more bandwidth. The new FsyNet tool allows you to hide traffic and makes it difficult to detect.
Experts emphasize that the Quad7 botnet is actively adapting to the new conditions. Bugs in the past, such as poorly written code and the use of open proxies, made it vulnerable to detection. Now, however, botnet operators are learning from their mistakes, improving their cloaking techniques and avoiding detection.
Source
