November 1, 2024 at 06:27AM
Microsoft has identified a Chinese threat actor, Storm-0940, using a botnet named Quad7 (CovertNetwork-1658) to conduct sophisticated password spray attacks targeting organizations in North America and Europe. This botnet exploits security flaws in routers to gain access, facilitating credential theft and further cyber exploitation.
### Meeting Takeaways – November 01, 2024
1. **Chinese Threat Actor Identification**: Microsoft has identified a Chinese threat actor named **Storm-0940** utilizing the botnet **Quad7** (also referred to as **CovertNetwork-1658**) to conduct password spray attacks aimed at stealing credentials from Microsoft customers.
2. **Attack Methods**:
– Storm-0940 has been active since at least 2021, gaining access through password spray, brute-force attacks, and exploitation of network services.
– Targeted organizations include think tanks, government bodies, NGOs, law firms, and defense sectors, primarily in **North America and Europe**.
3. **Details on Botnet Quad7**:
– Quad7 compromises various brands of **SOHO routers and VPN appliances** (e.g., TP-Link, Zyxel, Asus, D-Link) by exploiting security vulnerabilities for remote access.
– The botnet is particularly focused on conducting brute-force attempts against **Microsoft 365 accounts**.
4. **Operational Insights**:
– Many sign-in attempts are displayed as minimal, often just a single attempt per account per day, suggesting a low-profile method to avoid detection.
– Approximately **8,000 compromised devices** are active at any time, with only **20%** involved specifically in password spraying.
5. **Infrastructure Evolution**:
– Following public disclosures about the botnet, there has been a notable decline in its activity, indicating that threat actors may be adapting by acquiring new infrastructure to evade detection.
6. **Potential Risks**:
– If threat actors leverage CovertNetwork-1658 effectively, they could execute widespread password spraying campaigns, increasing the chances of credential compromises and unauthorized access across various sectors and regions.
7. **Collaboration Between Actors**: The operational efficiency implies collaboration between CovertNetwork-1658 operators and Storm-0940, allowing for rapid exploitation of valid credentials.
### Follow-Up Actions:
– Stay informed on updates regarding Storm-0940 and CovertNetwork-1658 through official channels like Twitter and LinkedIn for ongoing insights and strategies to mitigate risks associated with these threats.