Thousands of hacked TP-Link routers used in years-long account takeover attacks

You May Be Interested In:Yearlong supply-chain attack targeting security pros steals 390K credentials



Hackers working on behalf of the Chinese government are using a botnet of thousands of routers, cameras, and other Internet-connected devices to perform highly evasive password spray attacks against users of Microsoft’s Azure cloud service, the company warned Thursday.

The malicious network, made up almost entirely of TP-Link routers, was first documented in October 2023 by a researcher who named it Botnet-7777. The geographically dispersed collection of more than 16,000 compromised devices at its peak got its name because it exposes its malicious malware on port 7777.

Account compromise at scale

In July and again in August of this year, security researchers from Serbia and Team Cymru reported the botnet was still operational. All three reports said that Botnet-7777 was being used to skillfully perform password spraying, a form of attack that sends large numbers of login attempts from many different IP addresses. Because each individual device limits the login attempts, the carefully coordinated account-takeover campaign is hard to detect by the targeted service.

On Thursday, Microsoft reported that CovertNetwork-1658—the name Microsoft uses to track the botnet—is being used by multiple Chinese threat actors in an attempt to compromise targeted Azure accounts. The company said the attacks are “highly evasive” because the botnet—now estimated at about 8,000 strong on average—takes pains to conceal the malicious activity.

“Any threat actor using the CovertNetwork-1658 infrastructure could conduct password spraying campaigns at a larger scale and greatly increase the likelihood of successful credential compromise and initial access to multiple organizations in a short amount of time,” Microsoft officials wrote. “This scale, combined with quick operational turnover of compromised credentials between CovertNetwork-1658 and Chinese threat actors, allows for the potential of account compromises across multiple sectors and geographic regions.

Some of the characteristics that make detection difficult are:

  • The use of compromised SOHO IP addresses
  • The use of a rotating set of IP addresses at any given time. The threat actors had thousands of available IP addresses at their disposal. The average uptime for a CovertNetwork-1658 node is approximately 90 days.
  • The low-volume password spray process; for example, monitoring for multiple failed sign-in attempts from one IP address or to one account will not detect this activity.
share Paylaş facebook pinterest whatsapp x print

Similar Content

Samsung update bricks phones, giving harsh reminder of data backup importance
Samsung update bricks phones, giving harsh reminder of data backup importance
Still Wakes the Deep - Screenshot
Period atmosphere is best part of game set on turbulent oil rig
AI could help shrinking pool of coders keep outdated programs working
AI could help shrinking pool of coders keep outdated programs working
Susan Downey and Robert Downey Jr. attend "McNeal" opening night at Lincoln Center Theater starring Robert Downey Jr. on September 30, 2024 in New York City.
Downey Jr. plans to fight AI re-creations from beyond the grave
Errant reference in macOS 15.2 seems to confirm M4 MacBook Airs for 2025
Errant reference in macOS 15.2 seems to confirm M4 MacBook Airs for 2025
QNAP TVS-h874T box against a white background, with 8 drive bays showing and a blue LCD screen in the upper-right corner.
QNAP firmware update leaves NAS owners locked out of their boxes
The News Spectrum | © 2024 | News