• Posted by: Michael Johnson
• November 03, 2024

Storm-0940 and Quad7 Botnet: Evasive Password Spray Attacks

Microsoft has identified a Chinese threat actor, designated Storm-0940, that is employing a botnet known as Quad7 to execute sophisticated and evasive password spray attacks aimed at stealing credentials from multiple Microsoft customers. The company refers to this botnet as CovertNetwork-1658, highlighting its role in these malicious operations.

Active since at least 2021, Storm-0940 gains initial access through password spray and brute-force tactics or by exploiting vulnerabilities in network edge applications and services. Microsoft’s Threat Intelligence team reports that this actor primarily targets organizations across North America and Europe, including think tanks, governmental agencies, NGOs, law firms, and entities within the defense industrial base.

Quad7 Botnet Overview

Quad7, also known as 7777 or xlogin, has been the focus of recent investigations by cybersecurity firms Sekoia and Team Cymru. This botnet is known for compromising various brands of SOHO routers and VPN appliances—specifically targeting devices from manufacturers such as TP-Link, Zyxel, Asus, Axentra, D-Link, and NETGEAR. By exploiting known vulnerabilities and some yet-to-be-determined security flaws, Quad7 gains remote code execution capabilities, effectively turning these devices into part of its network. The botnet derives its name from the backdoor that operates on TCP port 7777, allowing for remote access.

Sekoia reported that Quad7 is predominantly utilized for brute-force attacks against Microsoft 365 accounts, indicating that its operators are likely associated with Chinese state-sponsored activities. Microsoft concurs, asserting that the botnet's maintainers are based in China, with multiple threat actors leveraging its capabilities for password spray attacks aimed at facilitating computer network exploitation (CNE) activities. These activities include lateral movement within networks, deploying remote access trojans, and attempting data exfiltration.

Operational Tactics and Impact

Storm-0940 has been known to infiltrate organizations using valid credentials acquired through password spray attacks, often on the same day those credentials were obtained. This swift operational hand-off suggests a strong collaboration between the botnet operators and Storm-0940. Microsoft elaborates that CovertNetwork-1658 conducts a low-volume attack strategy, typically making only one sign-in attempt per account each day, impacting about 80% of targeted accounts.

The botnet is estimated to control up to 8,000 compromised devices at any given time, though only about 20% of these are actively participating in password spraying activities. Following public disclosures regarding its infrastructure, Microsoft observed a significant decline in botnet activity, which may indicate that the threat actors are seeking new infrastructure with altered characteristics to escape detection.

The potential for large-scale password spraying campaigns utilizing CovertNetwork-1658's infrastructure raises serious concerns. As Microsoft points out, any actor leveraging this botnet could significantly enhance the chances of successful credential compromise and gain initial access to a wide range of organizations quickly. This capability, coupled with the rapid turnover of compromised credentials between CovertNetwork-1658 and Chinese threat actors, poses a substantial risk across multiple sectors and geographic regions.