Microsoft warns of major Chinese botnet 'Quad7' targeting global organizations
Microsoft has uncovered a major cyber threat from a Chinese botnet, dubbed Quad7. The botnet is said to be launching sophisticated password spray attacks on organizations around the world. The group behind the operation, identified as Storm-0940, is looking to infiltrate networks, steal credentials, and conduct more intrusive and potentially disruptive cyber activities. The main goal of this campaign seems to be espionage.
Targets include high-value entities
The botnet's targets aren't random, but rather strategically chosen. They include high-value entities like think tanks, government bodies, NGOs, law firms, and defense industries. The attack method used by Storm-0940 is calculated and hard to detect. A sub-group called CovertNetwork-1658 performs minimal login attempts on different accounts of a target organization, keeping it under the radar.
Quad7's stealthy approach and swift action
Microsoft's report suggests that in nearly 80% of the cases, CovertNetwork-1658 makes just one login attempt per account per day. This tactic is aimed at avoiding conventional security monitoring systems. Once the attackers succeed in breaching an account, they move quickly. In some cases, further compromises were started on the same day the password was guessed. The first steps include extracting more credentials and deploying RATs and proxies to keep their foothold in the network.
Evolution and expansion
Quad7 first came into the limelight in September 2024 when it started showing new capabilities and widening its target range. First seen by a researcher named Gi7w0rm and studied by Sekoia experts, the botnet was initially observed targeting TP-Link routers. But, it quickly evolved to target other devices, including ASUS routers, Zyxel VPN endpoints, Ruckus wireless routers, and Axentra media servers.
Quad7's malware and the scale of infections
The attackers have created custom malware to hack these devices, forming unique clusters of infections for different targets. Each cluster employs a variant of a login method designed for specific devices. The scale of these clusters also varies widely, with some covering thousands of infected devices, while others may include as few as two. This finding highlights the increasing complexity and sophistication of global cyber threats.
Shift in tactics and the importance of robust security
The use of SOHO (small office/home office) routers as entry points indicates a shift in tactics, with attackers leveraging weaker endpoints to circumvent traditional enterprise security defenses. Microsoft's findings highlight the need for robust security measures and continuous monitoring for organizations across the globe. As Quad7's reach and impact continues to grow, cybersecurity experts are calling on organizations to bolster their defenses, especially in securing routers and network endpoints that could act as gateways for such attacks.