Last week, Microsoft issued a critical alert regarding a sophisticated network of bots, known as a botnet, that has been actively engaged in advanced password-spraying attacks targeting users of its Azure cloud computing service. Alarmingly, this malicious activity has persisted for over a year, highlighting significant vulnerabilities within cloud security protocols.
As reported by Ars Technica, the botnet, primarily composed of compromised TP-Link routers, encompasses over 16,000 infected devices worldwide. This extensive network has been utilized by hackers affiliated with the Chinese government to conduct coordinated attacks aimed at hijacking Microsoft Azure accounts. Password spraying, the technique employed in these attacks, involves a methodical approach where numerous login attempts are executed from multiple IP addresses, making it challenging to detect the activity, as each individual device only makes a few login attempts.
Initially identified in October 2023 by a vigilant researcher, this botnet was dubbed Botnet-7777. Microsoft, however, has officially classified it as CovertNetwork-1658. Currently, this botnet continues to orchestrate “highly evasive” attacks, albeit with a reduced number of active devices—approximately 8,000 remain compromised.
In a statement, Microsoft officials emphasized the threat posed by CovertNetwork-1658: “Any threat actor using the CovertNetwork-1658 infrastructure could conduct password spraying campaigns at a larger scale and greatly increase the likelihood of successful credential compromise and initial access to multiple organizations in a short amount of time.” This alarming capacity, combined with rapid operational turnover of compromised credentials, raises concerns about potential account compromises across various sectors globally.
The group Storm-0940 is noted as one of the primary actors leveraging the CovertNetwork-1658 infrastructure, targeting a range of entities, including think tanks, government organizations, and law firms, across North America, Europe, and beyond. Once an Azure account is compromised, these malicious actors strive to propagate their infection throughout the network, exfiltrating sensitive data and installing backdoors for sustained access.
