Contents:
Microsoft warns that Chinese threat actors steal credentials in password-spray attacks by using the Quad7 (7777) botnet, which is made up of hijacked SOHO routers.
Quad7 is a botnet that consists of compromised SOHO routers. Cybersecurity specialists reported that the threat actors are targeting routers and networking devices from TP-Link, ASUS, Ruckus wireless devices, Axentra NAS devices, and Zyxel VPNs in the campaign.
Threat actors use specially designed malware to get remote access to the compromised devices via Telnet, displaying customized welcome banners tailored to the infected device:
- xlogin – Telnet bound to TCP port 7777 on TP-Link routers;
- alogin – Telnet bound to TCP port 63256 on ASUS routers;
- rlogin – Telnet bound to TCP port 63210 on Ruckus wireless devices;
- axlogin – Telnet banner on Axentra NAS devices (port unknown as not seen in the wild);
- zylogin – Telnet bound to TCP port 3256 on Zyxel VPN appliances.
The botnet has not been officially attributed to a particular threat actor, but cybersecurity experts from Team Cymru tracked the proxy software used on these routers to a user living in Hangzhou, China.
Details About the Activity
Microsoft revealed in a new report that the Quad7 botnet is thought to be based in China, and that several Chinese threat actors are using the hacked routers to launch password spray attacks to acquire credentials.
The tech giant observed suspect activity targeting and successfully stealing credentials from multiple Microsoft customers. The method used is enabled by highly evasive password spray attacks.
Microsoft linked the source of the attacks to a network of compromised devices they track as CovertNetwork-1658.
According to Microsoft, several Chinese threat actors exploit credentials obtained from CovertNetwork-1658 password spray operations. Microsoft has specifically seen the Chinese threat actor Storm-0940 utilizing CovertNetwork-1658 credentials.
Post-Compromise Activity
In certain cases, the threat actor takes the following actions to get ready for password spray operations after successfully breaking into a vulnerable router:
- Download Telnet binary from a remote File Transfer Protocol (FTP) server;
- Download xlogin backdoor binary from a remote FTP server;
- Utilize the downloaded Telnet and xlogin binaries to start an access-controlled command shell on TCP port 7777;
- Connect and authenticate to the xlogin backdoor listening on TCP port 7777;
- Download a SOCKS5 server binary to router;
- Start SOCKS5 server on TCP port 11288.
According to Microsoft, the threat actors are not aggressive while executing password spray attacks; they only try to log in a few times per account, perhaps to prevent setting off any alarms.
What Are the Threat Actors Doing With the Credentials?
Microsoft has seen multiple instances where Storm-0940 used legitimate credentials acquired through CovertNetwork-1658’s password spray operations to establish initial access to target organizations.
In certain cases, on the same day, Storm-0940 was seen utilizing credentials that had been hacked and taken from the CovertNetwork-1658 infrastructure. This prompt operational transfer of compromised credentials shows that the operators of Storm-0940 and CovertNetwork-1658 most likely had a tight working relationship.
After gaining access to a victim’s environment, the threat group has been seen:
- Using scanning and credential dumping tools to move laterally within the network;
- Attempting to access network devices and install proxy tools and remote access trojans (RATs) for persistence;
- Attempting to exfiltrate data.
If you liked this piece, you can find more on the blog. Follow us on LinkedIn, Twitter, Facebook, and YouTube for more cybersecurity news and topics.