A network of compromised devices known as CovertNetwork-1658 has been identified by researchers, revealing that Chinese threat actors are utilizing this network to carry out highly evasive password spray attacks. These attacks have successfully resulted in the theft of credentials from multiple Microsoft customers, with threat actors like Storm-0940 leveraging these stolen credentials to gain unauthorized access to systems.
Storm-0940, an active threat actor since 2021, has been targeting organizations primarily in North America and Europe, including government, non-profit, and private sector entities. Using brute-force attacks, exploits, and compromised network services, this group gains initial access to systems. Microsoft has taken action by notifying affected organizations and providing mitigation and detection recommendations. These recommendations include strategies such as identifying and blocking malicious IP addresses, strengthening password policies, and implementing network segmentation. Moreover, organizations can utilize security analytics tools to detect suspicious activity associated with Storm-0940.
The Chinese threat actor behind CovertNetwork-1658 has compromised a significant number of TP-Link SOHO routers to establish this network. By exploiting a vulnerability, the attacker gains remote access to these routers, enabling further malicious activities such as credential harvesting and network exploitation. The compromised router is used to create a covert network, where Telnet and xlogin binaries are downloaded and executed to establish remote access. Additionally, a SOCKS5 server is deployed on the router to create a proxy network, making it challenging to trace the origin of password spray attacks back to the compromised router.
CovertNetwork-1658 is actively conducting low-volume password spray attacks against numerous organizations, using compromised SOHO routers to mask its origin. By utilizing a vast pool of rotating IP addresses and limiting sign-in attempts to one per account per day, the threat actor can evade traditional security alerts, making it difficult to detect and mitigate these stealthy attacks. Recent security reports have highlighted this botnet and its usage by the Chinese threat actor for large-scale password spraying.
Although the original infrastructure usage of CovertNetwork-1658 has declined, recent activity indicates that threat actors are acquiring new infrastructure with different signatures. Microsoft has reported that historically, this network consisted of 8,000 compromised devices, with 20% actively engaging in password spraying activities, leading to widespread credential theft across various sectors. User agent strings observed during these attacks mimic Windows and Internet Explorer, indicating the coordinated efforts of threat actors like Storm-0940 in infiltrating target organizations.
Once inside these target organizations, the threat actor behind Storm-0940 has been actively scanning networks, dumping credentials, accessing network devices, installing persistence mechanisms such as proxy tools and RATs, and exfiltrating sensitive data. This demonstrates a sophisticated and efficient attack strategy employed by these threat actors. In response to these evolving threats, organizations are advised to adopt comprehensive security measures and leverage tools like security analytics to detect and prevent unauthorized access and data exfiltration.