EHA
Home Hacks Chinese Hackers Target Microsoft Users with Sophisticated Password Attacks

Chinese Hackers Target Microsoft Users with Sophisticated Password Attacks

0

Microsoft has detected a network of compromised devices, CovertNetwork-1658, launching highly evasive password spray attacks against its customers, where these attacks have successfully stolen credentials from multiple targets. 

Chinese threat actor Storm-0940 leverages credentials from CovertNetwork-1658 password spray attacks to gain initial access to target organizations in North America and Europe, including government, defense, and think tank sectors. 

A large network of compromised SOHO routers, primarily TP-Link devices, has been identified as CovertNetwork-1658, which, potentially controlled by threat actors, could be used for malicious activities like DDoS attacks or data exfiltration.

China-based threat actors exploit vulnerable routers to gain remote access, creating the CovertNetwork-1658, which is then used to launch further attacks, including credential theft and computer network exploitation.

The threat actor, post-compromise, downloads Telnet and xlogin binaries from a remote FTP server, establishes a backdoor on TCP port 7777, and then downloads a SOCKS5 server binary to the router, initiating it on TCP port 11288, laying the groundwork for subsequent password spray attacks.

Steps taken to prepare the router for password spray operations  

CovertNetwork-1658 is launching low-volume password spray attacks against multiple organizations, which involve a limited number of sign-in attempts per account per day, focusing on a large number of accounts to identify weak or reused passwords.

Its ephemeral and decentralized infrastructure, leveraging compromised SOHO IP addresses and rapid IP rotation, hinders effective monitoring and detection of low-volume password spray attacks.

Security researchers exposed CovertNetwork-1658’s infrastructure in public reports, leading to a significant decrease in its usage based on Censys.IO data, which suggests that the network has shifted to new infrastructure to avoid detection. 

the drop in CovertNetwork-1658’s available nodes

Recent activity indicates that CovertNetwork-1658 remains active and is likely transitioning to new infrastructure with altered digital fingerprints to evade detection, as increased activity supports this assessment. 

Microsoft estimates that 20% of the 8,000 devices compromised by CovertNetwork-1658 are actively used for password spraying attacks, which enables Chinese threat actors to rapidly compromise credentials across multiple sectors and regions.

The observed user-agent strings indicate potential password spray attacks targeting Windows 10 systems, leveraging both modern browsers like Chrome and older legacy browsers like Internet Explorer 11 to diversify attack vectors and evade detection mechanisms.

Storm-0940 leverages valid credentials stolen by CovertNetwork-1658 to gain initial access to target organizations, where this rapid credential sharing suggests a close collaboration between the two threat actors.

It uses scanning and credential dumping tools to move laterally within compromised networks, installs proxy tools and remote access tools (RATs) for persistence, and exfiltrates sensitive data.

Also Read:

NO COMMENTS

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Exit mobile version