Hacked TP-Link routers used in years-long account takeover attacks

Hackers linked to the Chinese government are utilizing a botnet composed mainly of TP-Link routers to conduct sophisticated password-spraying attacks targeting Microsoft Azure accounts. This botnet, identified as Botnet-7777, was first reported in October 2023 and has been confirmed to consist of over 16,000 compromised devices at its peak. Microsoft, which tracks this botnet as CovertNetwork-1658, noted that the attackers employ a method that makes detection difficult by using a rotating set of IP addresses and low-volume login attempts. The botnet's activity has decreased recently, but this is attributed to the acquisition of new infrastructure rather than a reduction in operations. One of the groups using this botnet, known as Storm-0940, has targeted various organizations, including think tanks and government entities, and has been successful in gaining access to networks using credentials obtained through these password-spraying campaigns. The compromised devices are often infected through unknown means, and while rebooting may temporarily remove the malware, reinfection is likely. Microsoft has not provided specific guidance for users of affected devices on how to prevent or detect infections.

- A botnet of TP-Link routers is being used for password-spraying attacks on Microsoft Azure accounts.

- The botnet, known as CovertNetwork-1658, consists of around 8,000 active devices.

- Attackers employ evasive techniques, making detection of their activities challenging.

- The group Storm-0940 is one of the threat actors utilizing this botnet to target various organizations.

- Rebooting infected devices may temporarily remove malware, but reinfection is possible.