This post is also available in:
עברית (Hebrew)
A covert Chinese botnet, named by Microsoft “CovertNetwork-1658,” has been identified using compromised TP-Link routers to conduct stealthy password-spraying attacks. This operation, discovered in August 2023, relies on an average of 8,000 compromised devices to target organizations with minimal detection risk.
The botnet primarily consists of small office and home office (SOHO) routers, which provide hackers with a diverse range of legitimate IP addresses, allowing them to evade security measures. Microsoft Threat Intelligence has reported that this network operates under various aliases, including “xlogin” and “Quad7,” with the threat group Storm-0940 appearing to be the primary user.
CovertNetwork-1658 specifically targets think tanks, government entities, and other organizations across North America and Europe. The initial access is often gained through a combination of password-spraying techniques, brute-force attacks, and exploitation of misconfigured network applications. Microsoft highlights that the botnet is particularly stealthy, submitting an average of only one sign-in attempt per account each day, with 80% of accounts receiving just a single attempt.
The compromised routers limit their attempts to a maximum of three daily, which makes malicious activities hard to detect. Researchers note that the botnet has access to thousands of rotating IP addresses, with each node averaging about 90 days of uptime. Following the exposure of this network, its activity has decreased significantly, with only hundreds of endpoints operating in recent months. However, Microsoft assesses that CovertNetwork-1658 is still functional and likely shifting to new infrastructure.
In late October, there was a notable surge in malicious activity associated with this botnet. Microsoft warns that any actor utilizing this infrastructure could scale up password-spraying campaigns, greatly enhancing the chance of credential compromise and unauthorized access to multiple organizations swiftly.
To mitigate these risks, Microsoft urges organizations to adopt robust cybersecurity measures, including implementing multi-factor authentication, disabling outdated authentication methods, and embracing passwordless authentication strategies. As cyber threats evolve, proactive measures remain essential for safeguarding sensitive information.
