Microsoft Uncovers Chinese Botnet Targeting Organizations with Evasive Password Spray Attacks
Microsoft has reported the activity of a Chinese threat actor known as Storm-0940, which is employing a sophisticated botnet identified as Quad7. This botnet has been linked to a series of highly evasive password spray attacks aimed at stealing login credentials from a range of Microsoft customers. Dubbed CovertNetwork-1658 by Microsoft, this botnet serves as a key component in the threat actor’s operations.
Since its emergence in 2021, Storm-0940 has utilized multiple methods to gain initial access to target organizations, including password spray, brute-force attacks, and exploiting vulnerabilities within network edge applications. The Microsoft Threat Intelligence team has indicated that this group specifically targets organizations across North America and Europe, including think tanks, government bodies, non-profits, law firms, and sectors critical to national defense.
Recent analyses by cybersecurity firms such as Sekoia and Team Cymru have shed light on the Quad7 botnet, which has been observed compromising various brands of small-office/home-office (SOHO) routers and VPN appliances. These devices, including those from TP-Link, Zyxel, and NETGEAR, are targeted by exploiting existing security flaws to enable remote code execution. The botnet is named for its design—a backdoor that communicates over TCP port 7777 to allow remote access.
Sekoia reports that Quad7’s primary function has been to execute brute-force attacks against Microsoft 365 accounts, with indications that the operators may have connections to state-sponsored activities. Microsoft has corroborated this assessment, revealing that the infrastructure used by the botnet appears to be based in China. As a result, multiple actors are leveraging this botnet to conduct targeted password spray attacks that facilitate follow-on computer network exploitation efforts, such as lateral movement and data exfiltration.
Storm-0940’s operations reflect a notable tactic: the actors infiltrate target organizations using valid credentials harvested from these password spray attempts. In some instances, they exploit the compromised credentials almost immediately after acquisition, suggesting a well-coordinated effort between the botnet operators and the threat actors.
CovertNetwork-1658 employs a unique strategy by submitting minimal sign-in attempts per account, with around 80% of accounts experiencing only a single login attempt per day. Despite an estimated 8,000 active compromised devices on the network at any one time, only about 20% are currently involved in these spray attacks. Microsoft warns that the recent decline in botnet activity may indicate that the threat actors are sourcing new infrastructure to evade detection.
The integration of CovertNetwork-1658 into broader cyber-attack strategies raises significant concerns. The combination of scale and swift operational exchanges of compromised credentials among various Chinese threat actors increases the likelihood of successful breaches across numerous sectors and geographic locations.
In light of these developments, cybersecurity experts caution that the observed decline in botnet activity does not necessarily signify a diminished threat. Sekoia noted a continued presence of Quad7 on the network, indicating that operators may have adapted their tactics to remain undetected.
Understanding this incident through the lens of the MITRE ATT&CK framework provides insight into the potential adversary tactics at play. Methods likely utilized in these attacks encompass initial access techniques such as credential dumping and brute-force attacks, as well as subsequent persistence and lateral movement strategies.
As organizations continue to grapple with evolving cyber threats, awareness and adaptation to these tactics remain critical in safeguarding sensitive data and operational integrity.
