Cyber Attack cyber

Microsoft

Nov 5, 2024 1 min read
Microsoft

Microsoft detected Chinese threat actors employing the Quad7 botnet, also known as CovertNetwork-1658 or xlogin, in sophisticated password-spray attacks aimed at stealing credentials. These attacks targeted SOHO devices and VPN appliances, exploiting vulnerabilities to gain unauthorized access to Microsoft 365 accounts. The botnet, which includes compromised TP-Link routers, relayed brute-force attacks and enabled further network exploitation. Affected sectors include government, law, defense, and NGOs in North America and Europe. The attackers, identified as Storm-0940, utilized low-volume password sprays to evade detection and maintained persistence within victims' networks for potential datapoints exfiltration.

Source: https://securityaffairs.com/170503/malware/quad7-botnet-used-by-chinese-threat-actors.html

TPRM report: https://scoringcyber.rankiteo.com/company/microsoft

"id": "mic001110524",
"linkid": "microsoft",
"type": "Cyber Attack",
"date": "11/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'industry': 'Technology',
                        'location': 'Global',
                        'name': 'Microsoft',
                        'type': 'Corporation'},
                       {'industry': ['Government', 'Law', 'Defense', 'NGOs'],
                        'location': ['North America', 'Europe']}],
 'attack_vector': ['Password Spray Attacks', 'Brute-force Attacks'],
 'description': 'Microsoft detected Chinese threat actors employing the Quad7 '
                'botnet, also known as CovertNetwork-1658 or xlogin, in '
                'sophisticated password-spray attacks aimed at stealing '
                'credentials. These attacks targeted SOHO devices and VPN '
                'appliances, exploiting vulnerabilities to gain unauthorized '
                'access to Microsoft 365 accounts. The botnet, which includes '
                'compromised TP-Link routers, relayed brute-force attacks and '
                'enabled further network exploitation. Affected sectors '
                'include government, law, defense, and NGOs in North America '
                'and Europe. The attackers, identified as Storm-0940, utilized '
                'low-volume password sprays to evade detection and maintained '
                "persistence within victims' networks for potential datapoints "
                'exfiltration.',
 'impact': {'systems_affected': ['Microsoft 365 accounts', 'TP-Link routers']},
 'initial_access_broker': {'entry_point': ['SOHO devices', 'VPN appliances'],
                           'high_value_targets': ['Microsoft 365 accounts']},
 'motivation': 'Credential Theft',
 'references': [{'source': 'Microsoft'}],
 'threat_actor': 'Storm-0940',
 'title': 'Chinese Threat Actors Employing Quad7 Botnet in Password-Spray '
          'Attacks',
 'type': 'Credential Theft',
 'vulnerability_exploited': ['SOHO devices', 'VPN appliances']}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.