Summary:
Microsoft has shed light on a botnet dubbed CovertNetwork-1658, aka xlogin and Quad7 (7777), which has enabled Chinese threat actors to steal credentials in highly evasive password spray attacks. CovertNetwork-1658 is made up of a network of compromised small office and home office (SOHO) routers. A majority of these routers are manufactured by TP-link, but also include Zyxel, Asus, Axentra, D-Link, and NETGEAR. Actors behind the CoverNetwork-1658 operation have gained access to these devices by exploiting vulnerabilities, successfully adding them to the botnet, which in turn can be used by other actors to carry out further attacks.

Multiple Chinese threat actors have been assessed to use the credentials acquired from CovertNetwork-1658 password spray operations to perform computer network exploitation (CNE) activities. One of these actors is Storm-0940, which has gained initial access to target organizations using valid credentials obtained through CovertNetwork-1658's password spray operation. Active since at least 2021, Storm-0940 is known for targeting organizations in North America and Europe, including think tanks, government organizations, non-governmental organizations, law firms, defense industrial base, and others. According to Microsoft, Storm-0940 has been observed in some instances using compromised credentials that were obtained from CovertNetwork-1658 infrastructure on the same day, highlighting a close relationship between the operators of CovertNetwork-1658 and Storm-0940. Once a initial foothold within the victim's environment is obtained, Storm-0940 will typically:

• Use scanning and credential dumping tools to move laterally within the network;
• Attempt to access network devices and install proxy tools and remote access trojans (RATs) for persistence; and
• Attempt to exfiltrate data.

Security Officer Comments:
CovertNetwork-1658 has been mainly used to perform brute-force attacks against accounts associated with Microsoft 365, a popular platform that is used by organizations across the globe.

The employment of SOHO IP addresses is not a novel tactic; malicious actors frequently use this approach to obscure their identities and evade detection. With thousands of IP addresses at their disposal, attackers often rotate these addresses to carry out their attacks. According to Microsoft, there is an average of 8,000 compromised devices actively participating in the CovertNetwork-1658 at any given moment, with approximately 20 percent of these devices engaged in password spray attacks.

Microsoft notes a significant decline in the usage of the CovertNetwork-1658 infrastructure after reports from various security vendors, including Sekoia (July 2024) and Team Cymru (August 2024). Microsoft attributes this decrease to botnet operators potentially acquiring new infrastructure with altered fingerprints, diverging from those that have been publicly identified.

Suggested Corrections:
Organizations can defend against password spraying by building credential hygiene and hardening cloud identities. Microsoft recommends the following mitigations to reduce the impact of this threat:

• Educate users on the importance of credential hygiene and avoiding password reuse.
• Enforce multi-factor authentication (MFA) on all accounts, remove users excluded from MFA, and strictly require MFA from all devices, in all locations, at all times. Microsoft continues to expand MFA defaults for products and services like Azure to broaden MFA adoption.
  • Consider transitioning to a passwordless primary authentication method, such as Azure MFA, certificates, or Windows Hello for Business.
  • Secure Remote Desktop Protocol (RDP) or Windows Virtual Desktop endpoints with MFA to harden against password spray or brute force attacks.
• Enable passwordless authentication methods (for example, Windows Hello, FIDO keys, or Microsoft Authenticator) for accounts that support passwordless. For accounts that still require passwords, use authenticator apps like Microsoft Authenticator for MFA.
• Disable legacy authentication.
• Use a cloud-based identity security solution to identify and detect threats or compromised identities.
• Disable stale or unused accounts.
• Reset account passwords for any accounts targeted during a password spray attack. If a targeted account had system-level permissions, further investigation may be warranted.
• Implement the Azure Security Benchmark and general best practices for securing identity infrastructure, including:
  • Create conditional access policies to allow or disallow access to the environment based on defined criteria.
  • Block legacy authentication with Azure AD by using Conditional Access. Legacy authentication protocols don't have the ability to enforce MFA, so blocking such authentication methods will prevent password spray attackers from taking advantage of the lack of MFA on those protocols.
  • Enable AD FS web application proxy extranet lockout to protect users from potential password brute force compromise.
• Secure accounts with credential hygiene:
  • Practice the principle of least privilege and audit privileged account activity in your Azure AD environments to slow and stop attackers.
  • Deploy Azure AD Connect Health for ADFS. This captures failed attempts as well as IP addresses recorded in ADFS logs for bad requests via the Risky IP report.
  • Use Azure AD password protection to detect and block known weak passwords and their variants.
  • Turn on identity protection in Azure AD to monitor for identity-based risks and create policies for risky sign ins.
• Educate users about phishing attempts and MFA fatigue attacks. Encourage users to report unsolicited MFA authentication prompts.
• Review your Anomaly detection policies in Defender for Cloud Apps under Microsoft 365 Defender Policies by going to Cloud Apps > Policies > Policy management. Then select Anomaly detection policy.

Link(s):
https://www.microsoft.com/en-us/sec...password-spray-attacks-from-a-covert-network/