Chinese Botnet Exploits Router Weaknesses to Steal Credentials

Recent findings by cybersecurity researchers indicate that a Chinese threat actor known as Storm-0940 is deploying a botnet called Quad7, or CovertNetwork-1658, to conduct stealthy password spray attacks aimed at credential theft. These attacks primarily target accounts across several organizations, with the goal of unauthorized access to sensitive data.

Since 2021, Storm-0940 has reportedly gained access to networks by utilizing password spray and brute-force attacks, as well as by exploiting vulnerabilities in network edge applications and devices.

Their targets include organizations across North America and Europe, spanning think tanks, government institutions, non-profits, legal firms, and sectors linked to defense.

Quad7, also referred to as xlogin or 7777, has been the subject of in-depth analysis by cybersecurity groups. It’s known to compromise various brands of Small Office/Home Office (SOHO) routers and VPN devices, such as TP-Link, Zyxel, Asus, Axentra, D-Link, and NETGEAR, through both known and unidentified security vulnerabilities.

The botnet enables remote code execution by using a backdoor that operates on TCP port 7777, granting attackers ongoing remote access to the infected devices.

Researchers believe the botnet is primarily used to launch brute-force attacks against Microsoft 365 accounts. The operators, thought to be based in China, coordinate password spray attacks that allow them to gain further access to compromised networks for activities like lateral movement, remote access trojan deployment, and data exfiltration.

Microsoft’s threat intelligence team observed that Storm-0940 often transfers control of compromised credentials to collaborating threat actors on the same day the credentials are obtained.

The company stated that CovertNetwork-1658 makes a minimal number of sign-in attempts across multiple accounts at target organizations, with approximately 80 percent of attempts limited to one sign-in per account per day. This calculated approach makes the botnet hard to detect.

At its peak, up to 8,000 compromised devices are active within the network, though only about 20 percent of them participate in password spray operations.

Following the public disclosure of the botnet’s infrastructure, however, botnet activity has significantly declined. Researchers suggest that the threat actors may be acquiring new devices and modifying their digital fingerprints to avoid detection.

While botnet activity has slowed, cybersecurity experts caution that Quad7’s operators may be exploring other infection methods to evade current monitoring efforts. The coordinated use of the botnet’s infrastructure by multiple Chinese threat actors enables large-scale credential theft across diverse sectors and regions, heightening the risk of account compromise and network infiltration in a short time span.

To minimize the risk of similar attacks, organizations should implement stringent security practices around router and network device configurations, including regular firmware updates and vulnerability assessments.

Enhanced access management, such as multi-factor authentication (MFA) and robust password policies, can mitigate password spray and brute-force attacks. Network segmentation and monitoring can also help detect and isolate compromised devices early.