Hackers working on behalf of the Chinese government are using a botnet of thousands of routers, cameras and other Internet-connected devices to launch highly evasive password spray attacks on users of Microsoft's Azure cloud service, the company warned Thursday.
The malicious network, which consists almost entirely of TP-Link routers, was first documented in October 2023 by a researcher who dubbed it Botnet-7777. The geographically dispersed collection of over 16,000 compromised devices at its peak gets its name from the fact that the malicious malware is exposed on port 7777.
Account compromise on a massive scale
In July and again in August this year, security researchers from Serbia and Team Cymru reported that the botnet was still operational. All three reports said Botnet-7777 was used to skillfully perform password spraying, a form of attack that sends large numbers of login attempts from many different IP addresses. Because each individual device limits login attempts, the carefully coordinated account takeover campaign is difficult to detect by the targeted service.
On Thursday, Microsoft reported that CovertNetwork-1658 – the name Microsoft is using to track the botnet – is being used by multiple Chinese threat actors in an attempt to compromise targeted Azure accounts. The company said the attacks are “highly evasive” as the botnet – now estimated to average around 8,000 strong – takes pains to conceal the malicious activity.
“Any threat actor using the CovertNetwork-1658 infrastructure could conduct password spraying campaigns on a larger scale and significantly increase the likelihood of successful credentials and initial access to multiple organizations in a short period of time,” Microsoft officials wrote. “This scale, combined with rapid operational exchange of compromised credentials between CovertNetwork-1658 and Chinese threat actors, creates the potential for account compromises across multiple industries and geographic regions.
Some features that make detection difficult are:
- The use of compromised SOHO IP addresses
- The use of a varying set of IP addresses at any given time. The threat actors had thousands of available IP addresses at their disposal. The average uptime for a CovertNetwork-1658 node is approximately 90 days.
- The low volume password spraying process; For example, monitoring multiple failed login attempts from one IP address or one account will not detect this activity.
