- Organisations must remain vigilant, adapting to the landscape of cyber threats to safeguard their sensitive information and infrastructure.
- Conducts stealthy password-spraying attacks against organisations in North America and Europe.
- Microsoft’s findings indicate that the average uptime for these compromised nodes is approximately 90 days, providing ample time for threat actors to execute multiple campaigns with minimal risk of discovery.
Microsoft Threat Intelligence have unearthed a covert Chinese botnet – CovertNetwork-1658 – which utilises compromised TP-Link routers, primarily those employed in small office and home office (SOHO) settings, to conduct stealthy password-spraying attacks against organisations in North America and Europe.
Utilising a strategy characterised by minimal sign-in attempts—averaging only one per account per day—this botnet exemplifies a troubling evolution in cyberattack methodology, emphasising stealth and persistence.
The operational mechanics of CovertNetwork-1658 reveal a highly strategic approach to cyber intrusion. By leveraging thousands of compromised devices, the attackers can obscure their activities among legitimate traffic, making detection extremely challenging.
The botnet operates under the guise of legitimate IP addresses, significantly complicating efforts to trace malicious activity.
Password spraying
Microsoft’s findings indicate that the average uptime for these compromised nodes is approximately 90 days, providing ample time for threat actors to execute multiple campaigns with minimal risk of discovery.
While multiple Chinese threat groups exploit CovertNetwork-1658, the group designated as Storm-0940 appears to be its primary user. These actors target a range of high-profile entities, including think tanks and government organisations, and gain initial access through various methods, including password spraying and brute-force attacks.
The reported tactics of the botnet underscore a broader trend in cyber warfare, where attackers integrate multiple methods to infiltrate networks, followed by lateral movement and the installation of persistent threats such as remote access trojans.
Significantly, after the disclosure of its operations, CovertNetwork-1658 experienced a substantial decline in its activity, with its number of compromised endpoints dropping to a few hundred. However, there are indications that the botnet continues to function, potentially migrating to new infrastructures and tactics to remain under the radar.
Enhanced vigilance needed
Microsoft has noted a resurgence of malicious activity associated with this botnet at the end of October, signaling that the threat is far from neutralised.
In light of these developments, Microsoft urges organisations to bolster their cybersecurity measures. Recommendations include implementing strict authentication policies, such as multi-factor authentication, disabling legacy authentication methods, and exploring passwordless authentication options.
The persistence of CovertNetwork-1658 exemplifies the need for enhanced vigilance and proactive security strategies in an era where cyber threats are increasingly sophisticated and elusive.