Summarize

Simplifying... Inshort

Microsoft has issued a warning about a sophisticated Chinese botnet, Quad7, that's strategically targeting global organizations like government bodies and defense industries.
The botnet, first noticed in 2024, has evolved to target a range of devices, using custom malware to create unique infection clusters.
As Quad7's reach expands, experts urge organizations to strengthen their defenses, particularly securing routers and network endpoints that could serve as attack gateways.

Was a long read? Making it simpler...

Next Article

Quad7 is launching cyber attacks on government bodies and other high-profile entities

Microsoft warns of major Chinese botnet 'Quad7' targeting global organizations

By Akash Pandey

Nov 04, 2024

04:25 pm

What's the story

Microsoft has uncovered a major cyber threat from a Chinese botnet, dubbed Quad7. The botnet is said to be launching sophisticated password spray attacks on organizations around the world. The group behind the operation, identified as Storm-0940, is looking to infiltrate networks, steal credentials, and conduct more intrusive and potentially disruptive cyber activities. The main goal of this campaign seems to be espionage.

High-profile targets

Targets include high-value entities

The botnet's targets aren't random, but rather strategically chosen. They include high-value entities like think tanks, government bodies, NGOs, law firms, and defense industries. The attack method used by Storm-0940 is calculated and hard to detect. A sub-group called CovertNetwork-1658 performs minimal login attempts on different accounts of a target organization, keeping it under the radar.

Covert operations

Quad7's stealthy approach and swift action

Microsoft's report suggests that in nearly 80% of the cases, CovertNetwork-1658 makes just one login attempt per account per day. This tactic is aimed at avoiding conventional security monitoring systems. Once the attackers succeed in breaching an account, they move quickly. In some cases, further compromises were started on the same day the password was guessed. The first steps include extracting more credentials and deploying RATs and proxies to keep their foothold in the network.

Threat evolution

Evolution and expansion

Quad7 first came into the limelight in September 2024 when it started showing new capabilities and widening its target range. First seen by a researcher named Gi7w0rm and studied by Sekoia experts, the botnet was initially observed targeting TP-Link routers. But, it quickly evolved to target other devices, including ASUS routers, Zyxel VPN endpoints, Ruckus wireless routers, and Axentra media servers.

Malware strategy

Quad7's malware and the scale of infections

The attackers have created custom malware to hack these devices, forming unique clusters of infections for different targets. Each cluster employs a variant of a login method designed for specific devices. The scale of these clusters also varies widely, with some covering thousands of infected devices, while others may include as few as two. This finding highlights the increasing complexity and sophistication of global cyber threats.

Security implications

Shift in tactics and the importance of robust security

The use of SOHO (small office/home office) routers as entry points indicates a shift in tactics, with attackers leveraging weaker endpoints to circumvent traditional enterprise security defenses. Microsoft's findings highlight the need for robust security measures and continuous monitoring for organizations across the globe. As Quad7's reach and impact continues to grow, cybersecurity experts are calling on organizations to bolster their defenses, especially in securing routers and network endpoints that could act as gateways for such attacks.