A major Chinese botnet called Quad7 is being utilized to mount password spray attacks against organizations in the west, Microsoft experts have warned.
In a new report, the company’s researchers say the group, called Storm-0940, then use the passwords to establish persistence, steal even more credentials, and ultimately engage in more disruptive cyberattacks.
The end goal of the campaign is, most likely, espionage, Microsoft believes , as targets include think tanks, government organizations, non-governmental organizations, law firms, defense industrial bases, and more.
Targeting SOHO routers
“In particular, Microsoft has observed the Chinese threat actor Storm-0940 using credentials from CovertNetwork-1658,” the report states, adding that the group was being extra careful not to get spotted.
“In these campaigns, CovertNetwork-1658 submits a very small number of sign-in attempts to many accounts at a target organization,” it was said. “In about 80 percent of cases, CovertNetwork-1658 makes only one sign-in attempt per account per day.”
Still, as soon as there is a hit, Storm-0940 moves in to further compromise the target. In fact, Microsoft said that on some occasions, the infiltration was done the same day when the passwords were guessed. Storm-0940’s first move was to dump credentials, and install RATs and proxies, for persistence.
Quad7 is a fairly known botnet. In late September 2024, we reported the botnet adding new features and expanding the attack surface. It was first spotted by a researcher alias Gi7w0rm, and experts from Sekoia, when it was only observed targeting TP-Link routers. However, during the following weeks, Quad7 (which was named so for targeting port…
Read full post on Tech Radar
