Hackers Exploiting Password Spraying Techniques Target Microsoft Accounts
In a recently issued alert, Microsoft has warned of ongoing password spraying attacks orchestrated by multiple Chinese hacking groups utilizing a botnet known as Quad7. Named after a TCP routing port number, this botnet is comprised of approximately 8,000 compromised devices, predominantly consisting of TP-Link routers commonly found in small office and home environments. This report also identifies the botnet, referred to as xlogin, as having emerged in 2023.
The cybersecurity firm categorizes this threat actor as Storm-0940, part of a covert network identified as CovertNetwork-1658. Microsoft has indicated that Storm-0940 plays a significant role in the current wave of password spray attacks, taking advantage of compromised credentials, many of which are acquired by the Quad7 botnet on the same day they are stolen. "This rapid operational hand-off of compromised credentials suggests a strong collaboration between the operators of CovertNetwork-1658 and Storm-0940," Microsoft stated.
As the campaign continues, Microsoft has observed that Quad7’s operators are likely adapting their tactics to evade detection, with the potential to acquire additional infrastructure featuring modified fingerprints. Increased scrutiny from security researchers has seemingly prompted these operators to enhance their stealth efforts. For instance, recent reports have uncovered that they are compromising not only TP-Link routers but also devices such as Zyxel VPN endpoints and Ruckus wireless routers.
The modus operandi of the Quad7 botnet entails a careful approach to infiltration. Microsoft noted that these operators restrict their sign-in attempts to only a small number across multiple accounts within their target organizations. Notably, in approximately 80% of instances, CovertNetwork-1658 conducts a solitary sign-in attempt per account each day.
A significant challenge in monitoring this botnet stems from its use of small office and home (SOHO) routers, which lack a central IP address, complicating tracking efforts. The average lifespan of a bot within the network is reportedly limited to around 90 days, further obfuscating detection mechanisms. Additionally, the low volume of attack attempts makes traditional monitoring for bulk sign-ins ineffective.
Active since 2021, Storm-0940 utilizes hacked credentials for a range of malicious activities, including lateral movement within intranets, deploying proxy tools and remote access Trojans, and exfiltrating sensitive data. These tactics reflect techniques outlined in the MITRE ATT&CK framework, particularly focusing on initial access and credential dumping.
In response to these threats, Microsoft recommends that organizations enhance their security posture by disabling legacy authentication methods and emphasizing password-less verification. Furthermore, companies are advised to disable unused accounts to minimize potential attack vectors that adversaries might exploit.
Understanding the evolving nature of cyber threats, especially those utilizing sophisticated methods such as password spraying, is paramount for business owners aiming to bolster their cybersecurity defenses against increasingly agile adversaries.
