Hackers Use Botnet of Thousands of Devices to Perform Evasive Password Spray Attacks
Hackers working on behalf of the Chinese government are using a botnet of thousands of routers, cameras, and other Internet-connected devices to perform highly evasive password spray attacks against users of Microsoft’s Azure cloud service, the company warned Thursday.
Botnet-7777: A Geographically Dispersed Collection of Compromised Devices
The malicious network, made up almost entirely of TP-Link routers, was first documented in October 2023 by a researcher who named it Botnet-7777. The geographically dispersed collection of more than 16,000 compromised devices at its peak got its name because it exposes its malicious malware on port 7777.
Account Compromise at Scale
In July and again in August of this year, security researchers from Sekoia.io and Team Cymru reported the botnet was still operational. All three reports said that Botnet-7777 was being used to skillfully perform password spraying, a form of attack that sends large numbers of login attempts from many different IP addresses. Because each individual device limits the login attempts, the carefully coordinated account-takeover campaign is hard to detect by the targeted service.
Microsoft Reports CovertNetwork-1658: A Highly Evasive Botnet
On Thursday, Microsoft reported that CovertNetwork-1658—the name Microsoft uses to track the botnet—is being used by multiple Chinese threat actors in an attempt to compromise targeted Azure accounts. The company said the attacks are “highly evasive” because the botnet—now estimated at about 8,000 strong on average—takes pains to conceal the malicious activity.
Characteristics That Make Detection Difficult
- The use of compromised SOHO IP addresses.
- The use of a rotating set of IP addresses at any given time. The threat actors had thousands of available IP addresses at their disposal. The average uptime for a CovertNetwork-1658 node is approximately 90 days.
- The low-volume password spray process; for example, monitoring for multiple failed sign-in attempts from one IP address or to one account will not detect this activity.
Conclusion
The botnet, CovertNetwork-1658, is a highly evasive and sophisticated tool used by Chinese threat actors to compromise targeted Azure accounts. The use of compromised SOHO IP addresses, rotating IP addresses, and low-volume password spray process makes it difficult to detect. It is essential for organizations to be aware of this threat and take necessary measures to protect their accounts and data.
FAQs
Q: What is CovertNetwork-1658?
A: CovertNetwork-1658 is a botnet used by multiple Chinese threat actors to compromise targeted Azure accounts.
Q: What is Botnet-7777?
A: Botnet-7777 is the original name given to the botnet by a researcher who first documented it in October 2023.
Q: How many compromised devices are part of the botnet?
A: At its peak, the botnet had more than 16,000 compromised devices, but it is now estimated to be around 8,000 strong on average.
Q: What is password spraying?
A: Password spraying is a form of attack that sends large numbers of login attempts from many different IP addresses to compromise accounts.
Q: How can organizations protect themselves from this threat?
A: Organizations can protect themselves by being aware of this threat, monitoring their accounts and data closely, and taking necessary measures to secure their Azure accounts.
