Cybersecurity experts at Microsoft have raised significant alarms over a growing threat from multiple Chinese hacking groups utilizing a formidable botnet known as Quad7, or 7777, to execute password spraying attacks aimed at stealing users' Microsoft account credentials.

This botnet comprises an average of 8,000 compromised devices, predominantly TP-Link routers frequently found in small offices and homes. Emerging in 2023, the Quad7 botnet—also referred to as xlogin—has garnered attention for its sophistication and the scale of operations that it supports.

Tracked as CovertNetwork-1658, this botnet is linked to a notorious Chinese threat actor identified as Storm-0940. Microsoft reports that this group is heavily involved in a slew of password spray attacks that have been detected recently. The chilling aspect of this operation is that Storm-0940 has utilized credentials stolen via the Quad7 botnet almost immediately after their acquisition, indicating a highly organized and rapid operational hand-off between these malicious entities.

Recent analyses suggest that the Quad7 operators are focusing on concealing their infrastructure in response to increased scrutiny from cybersecurity researchers. Sekoia, a cybersecurity firm, reported in September that these operators are expanding their attack tactics to include targeting Zyxel VPN endpoints, Ruckus wireless routers, and Axentra network-attached storage devices.

One notable tactical approach employed by the Quad7's botnet operators involves minimal sign-in attempts: about 80% of the time, only a single login attempt is made per account each day. This meticulous strategy complicates detection efforts. The transient nature of the botnet, with an average lifespan of just 90 days, further hampers monitoring, as there are no central IP addresses to target, making it exceedingly challenging for defenders to trace and shut down these operations.

Storm-0940 has been active since 2021 and employs stolen credentials for nefarious ends, including lateral movements within internal networks, uploading malicious proxy tools, deploying remote access Trojans, and ultimately exfiltrating sensitive data.

To combat these threats, Microsoft urges organizations to adopt robust security measures. Recommendations include disabling legacy authentication methods and implementing password-less verification systems. Additionally, organizations are encouraged to deactivate unused accounts to minimize vulnerabilities.

As the landscape of cyber threats evolves rapidly, staying informed and proactively enhancing security protocols is essential. The Quad7 botnet serves as a stark reminder of the increasing sophistication of cybercriminals, and vigilance is key to defense. Stay safe, and don't become the next target!