A significant cybersecurity threat has emerged involving a botnet orchestrated by hackers linked to the Chinese government. This network, comprised of thousands of compromised routers, cameras, and other Internet-connected devices, has been employed to execute sophisticated password spray attacks targeted at users of Microsoft’s Azure cloud service. The warning about this malicious activity was issued by Microsoft on Thursday.
The botnet, identified as Botnet-7777, was first reported in October 2023. It consists predominantly of TP-Link routers and has demonstrated a widespread presence, peaking with over 16,000 compromised devices. The nomenclature “7777” denotes the port that exposes its malicious software. Recent assessments by cybersecurity researchers have confirmed that the botnet remains active, with ongoing attacks being reported in July and August of this year.
Central to the threat posed by this botnet is a method known as password spraying, which allows attackers to employ a multitude of IP addresses to conduct a high volume of login attempts without exceeding the rate limits imposed by the targeted services. This tactic significantly reduces the likelihood of detection by the affected platforms. On Thursday, Microsoft disclosed its ongoing investigations into these attacks, using the identifier CovertNetwork-1658 to track the botnet activities. With an estimated average of around 8,000 devices currently under its command, the botnet continues to illustrate high levels of technical sophistication in masking its malicious operations.
This coordinated effort is reportedly being utilized by various Chinese threat actors, demonstrating a systematic approach to compromise Azure accounts. Microsoft emphasized the evasiveness of these attacks and the challenges they present for detection. The company noted that adversaries leveraging the infrastructure of CovertNetwork-1658 can scale their password spraying campaigns, significantly increasing the potential for successful account compromises across diverse organizational sectors and geographies.
The obfuscating tactics employed by the attackers include the usage of compromised small office/home office (SOHO) IP addresses and a rotating assortment of IP addresses. This dynamic approach enables the threat actors to deploy thousands of unique addresses, making it harder for security teams to monitor for malicious activities. Additionally, the low-velocity nature of the password spray techniques complicates detection efforts, as security systems often fail to recognize multiple login failures originating from a single IP address or account.
In considering the likely tactics employed within this framework, it is critical to recognize their alignment with various stages outlined in the MITRE ATT&CK Matrix. Techniques such as initial access could be observed through the compromise of devices, while persistence might be established through the use of rotating IPs. Privilege escalation may be pursued if attackers gain access to sensitive accounts, and operational security measures are clearly in place to ensure extended undetected activity.
As the landscape of cybersecurity threats continues to evolve, the incidents surrounding Botnet-7777 serve as a stark reminder of the need for robust security protocols. Organizations utilizing cloud services must remain vigilant, implementing multi-factor authentication and thorough monitoring to mitigate the risk posed by such coordinated attacks.
