Microsoft Discovers Chinese Botnets Launching Mass Password Spray Attacks
- Microsoft recently reported that a Chinese botnet called Quad7, operated by the threat group Storm-0940 has been attacking major organizations with password-spraying attacks.
- Popular victims include government agencies, NGOs, law firms, think tanks, etc.
- As per estimates, more than 8,000 compromised devices are active in the network at any given moment.
Microsoft recently discovered a series of password spray attacks orchestrated by a Chinese botnet. This botnet has been identified as Quad7, which is using another sub-group known as CovertNetwork-1658 to launch the attacks. As for the botnet itself, it is believed to be controlled by a threat group called Storm-0940.
Note: A botnet is a group of interconnected devices that are infected with malware and controlled by one single authority. They are usually used to infiltrate other devices.
The main purpose of the attack is to try and break into the victim's account with the help of password spraying - a technique in which a threat actor uses a single password to break into multiple accounts.
Since the botnet is keeping the number of login attempts under the maximum limit, it has managed to evade detection so far. In fact, Microsoft revealed that in 80% of the cases, it managed to compromise the target account in a single login attempt.
Once an account is successfully compromised, the next stage of the attack is launched which includes extracting additional credential details and launching remote tools and commands to maintain control over the device.
Speaking of the victims, the attacks are mostly targeted at high-level organizations such as NGOs, think tanks, government bodies, defense companies, and law firms.
The total number of victims is unknown as of now. However, as per estimates, approximately 8,000 compromised devices are there in the network at any given moment. However, only 20% of these have been compromised by password spraying.
About the Group & BotnetsNeither of them is a new threat. Storm-0940 has been active since 2021 and has been known to target its victims with password spraying or brute force attacks. Its victims include both government and non-government entities. As long as an organization has confidential data that can cause mass disruption if leaked, it's a potential target for the group.
The botnet Quad7 was more recently discovered. In September this year, a researcher called Gi7w0rm and experts from Sekoia found that it targets TP-lInk routers.
But then it expanded its range and started attacking ASUS routers, Ruckus wireless routers, Axentra media servers, and Zyxel VPN endpoints.
The worst part is that in many of the cases, the attackers are not directly targeting company servers or devices. Instead, they are targeting employee devices because they usually have fewer safety guardrails and are easier to exploit.
All it takes is access to a single, top-level executive's device to bring an entire organization to its knees.
So what we need right now is robust security measures at every level of an organization and to secure every endpoint so that these threat actors cannot find a way to break in. We also need better monitoring so that such activity is detected as soon as possible.
The post Microsoft Discovers Chinese Botnets Launching Mass Password Spray Attacks appeared first on Techreport.