Last week, Microsoft issued a warning that a network of bots (or botnets) is being actively used to carry out advanced password-spraying attacks against users of the Microsoft Azure cloud computing service. The worst part? This has been going on for over a year now.
As he reports Ars Technicahackers linked to the Chinese government used a botnet—consisting mostly of TP-Link routers, with more than 16,000 compromised devices worldwide—to carry out attacks and take over Microsoft Azure accounts.
Password spraying is a type of brute-force attack in which a large number of login attempts are made from multiple IP addresses, making it difficult to detect the attack because each individual device attempts to log in only a few times. With thousands of devices in the botnet, it’s clear how potentially effective this method can be.
The Chinese botnet was first discovered in October 2023 by a researcher who named it Botnet-7777. Microsoft officially calls it CovertNetwork-1658, and this botnet continues to carry out these “highly covert” attacks, albeit to a lesser extent – only around 8,000 compromised devices are currently active.
According to Microsoft officials:
“Any attacker using the CovertNetwork-1658 infrastructure could perform password spraying attacks at scale and greatly increase the likelihood of successfully compromising credentials and initial access to multiple organizations in a short period of time. This volume, combined with the rapid operational transfer of compromised credentials between CovertNetwork-1658 and Chinese threat actors, allows for the potential compromise of accounts across multiple sectors and geographies.”
Microsoft also stated that Storm-0940 is one of the groups using CovertNetwork-1658 and that this group is targeting research centers, governmental and non-governmental organizations, as well as law firms, not only in North America and Europe, but also in other regions.
When an Azure account is compromised, malicious actors attempt to spread their infection to other parts of the network, exfiltrating data and installing backdoors to continue access.
The post Thousands of hacked TP-Link routers used to hack Microsoft Azure accounts appeared first on ITNetwork.
Source: www.itnetwork.rs
