Chinese government-backed hackers are using a botnet of more than 16,000 routers, cameras, and other internet-connected devices to launch stealthy password spray attacks against users of Microsoft’s Azure cloud service. The malicious network, named Botnet-7777, was first documented in October 2023.
It was reported to be still active in July and August 2023 by Serbian security researchers and Team Cymru. The botnet has been used to skillfully perform password spraying, making it difficult for targeted services to detect the attacks. Microsoft recently announced that a botnet they are tracking as CovertNetwork-1658 is being used by several Chinese threat actors to compromise targeted Azure accounts.
The attacks are extremely secretive as the botnets try to hide their malicious activity. Microsoft officials warn that threat actors using the CovertNetwork-1658 infrastructure can conduct large-scale password-spewing campaigns, significantly increasing the chance of successful credential compromise and gaining access to multiple organizations in a short period of time.
The characteristics that make detection difficult include the use of compromised SOHO (small office) IP addresses, the use of rotating IP addresses, and low-volume password hashing. CovertNetwork-1658 activity has decreased in recent months, but Microsoft says this is not the result of threat actor restraint.
Instead, they are building new infrastructure with different “fingerprints” compared to publicly available information. One group using the botnet named by Microsoft is being tracked as Storm-0940. The group regularly targets North American and European think tanks, government agencies, NGOs, law firms, and defense industry companies.
Once targeted Azure accounts are compromised, attackers attempt to move laterally to other parts of the infected network, exfiltrating data and installing remote access Trojans. Microsoft has not provided guidance to users of TP-Link routers and other affected devices on how to prevent or detect infections.
In the past, several experts have noted that most infected devices do not survive a reboot because the malware cannot write to the device’s storage. Therefore, periodic restarts may help clear the infection, although this does not eliminate the possibility of reinfection.
