Sekoia uncovered the evolution of the Quad7 botnet, which now targets new SOHO devices with stealthier tactics to evade detection. The botnet has compromised various routers and VPN appliances by exploiting vulnerabilities, some of which were previously unknown. The Quad7 operators have refined their methods, transitioning from open SOCKS proxies to using the KCP protocol over UDP for communication to further conceal their activities. Despite no direct reports of data compromise, the botnet's capacity for distributed brute-force attacks presents significant risks, including potential unauthorized access to Microsoft 365 accounts and control over infected devices possibly leading to data breaches or other serious security incidents in the future.
Source: https://securityaffairs.com/168250/malware/quad7-botnet-evolves.html
TPRM report: https://scoringcyber.rankiteo.com/company/sekoia
"id": "sek000091524",
"linkid": "sekoia",
"type": "Cyber Attack",
"date": "9/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"
{'attack_vector': ['Vulnerability exploitation'],
'description': 'Sekoia uncovered the evolution of the Quad7 botnet, which now '
'targets new SOHO devices with stealthier tactics to evade '
'detection. The botnet has compromised various routers and VPN '
'appliances by exploiting vulnerabilities, some of which were '
'previously unknown. The Quad7 operators have refined their '
'methods, transitioning from open SOCKS proxies to using the '
'KCP protocol over UDP for communication to further conceal '
'their activities. Despite no direct reports of data '
"compromise, the botnet's capacity for distributed brute-force "
'attacks presents significant risks, including potential '
'unauthorized access to Microsoft 365 accounts and control '
'over infected devices possibly leading to data breaches or '
'other serious security incidents in the future.',
'impact': {'systems_affected': ['Routers', 'VPN appliances']},
'motivation': ['Unauthorized access', 'Data breaches'],
'threat_actor': 'Quad7 operators',
'title': 'Evolution of Quad7 Botnet Targets SOHO Devices',
'type': 'Botnet',
'vulnerability_exploited': ['Unknown vulnerabilities in routers and VPN '
'appliances']}