October 31, 2024 at 04:10PM
Microsoft has reported that Chinese threat actors utilize the Quad7 botnet, composed of hacked SOHO routers, for password-spray attacks to steal credentials. The botnet employs custom malware for remote access and evades detection using a SOCKS5 proxy. Once credentials are obtained, networks are compromised to exfiltrate data.
### Meeting Takeaways
1. **Quad7 Botnet Overview**:
– Also known as CovertNetwork-1658 or xlogin, the Quad7 botnet comprises compromised SOHO routers.
– Discovered by security researcher Gi7w0rm, it is currently used by Chinese threat actors.
2. **Targeted Devices**:
– The botnet targets various networking devices including:
– TP-Link
– ASUS
– Ruckus wireless devices
– Axentra NAS devices
– Zyxel VPN appliances
3. **Method of Compromise**:
– Threat actors deploy custom malware for remote access via Telnet, with distinct welcome banners for each device type.
– Specific Telnet ports used:
– TP-Link: TCP port 7777 (xlogin)
– ASUS: TCP port 63256 (alogin)
– Ruckus: TCP port 63210 (rlogin)
– Axentra: Port unknown (axlogin)
– Zyxel: TCP port 3256 (zylogin)
– A SOCKS5 proxy server is also installed to relay malicious traffic undetected.
4. **Credential Theft Operations**:
– Microsoft reports that the botnet is active in password-spray attacks, targeting multiple accounts without aggressive sign-in attempts (often just one attempt per account per day).
– Storm-0940 is a notable Chinese threat actor using credentials obtained from these operations to breach networks shortly after credential theft.
5. **Attack Strategy**:
– After successful network breaches, threat actors expand their reach by dumping credentials and installing remote access tools (RATs) and proxy tools to maintain persistence.
– The primary goal appears to be data exfiltration, likely for cyber espionage.
6. **Ongoing Investigation**:
– Experts have not yet determined the exact methods used by Quad7 threat actors to compromise SOHO routers and devices.
– Observations indicate possible exploitation of vulnerabilities like an OpenWRT zero-day for initial breaches.
7. **Recommendations**:
– Organizations should enhance security measures on networking devices to prevent unauthorized access and mitigate risks associated with password-spray attacks.