Microsoft has exposed a new wave of sophisticated password spray attacks led by the Chinese state-sponsored threat actor, Storm-0940, which leverages a botnet called CovertNetwork-1658—also known as Quad7 or xlogin. This botnet infrastructure, comprising thousands of compromised SOHO (Small Office/Home Office) routers, enables highly evasive cyberattacks against Microsoft 365 accounts across sectors in North America and Europe. These attacks target a wide array of entities, including think tanks, government bodies, NGOs, law firms, and defense organizations.
Detailed Attack Mechanism and Botnet Infrastructure
Since at least 2021, Storm-0940 has utilized password spray and brute-force methods to gain unauthorized access to Microsoft 365 environments. The attackers exploit vulnerabilities in routers from brands like TP-Link, Zyxel, NETGEAR, and others to establish backdoors that facilitate continuous access. Once compromised, the routers join the botnet, where the threat actors use a backdoor listening on TCP port 7777 to conduct low-volume, highly targeted password spray attacks.
CovertNetwork-1658 deploys a small number of sign-in attempts across multiple accounts per day to minimize detection, with roughly 80% of accounts only facing a single login attempt daily. This approach reduces the likelihood of triggering traditional security alerts based on high-volume login failures. Furthermore, the attackers rotate through IP addresses, making it challenging for security teams to track them due to the variability and scale of the network. Microsoft estimates around 8,000 compromised routers participate in the botnet at any given time, although only 20% of these devices are actively involved in credential attacks.
Rapid Exploitation and Strategic Coordination
One of the most concerning aspects of Storm-0940’s method is the rapid exploitation of stolen credentials. In numerous cases, Microsoft found that Storm-0940 accessed target networks the same day credentials were harvested, suggesting a well-coordinated operation between the botnet operators and the threat actor. Upon gaining initial access, Storm-0940 proceeds with lateral movement within the network, uses credential dumping tools, and installs remote access trojans (RATs) to ensure persistence. These steps enable the attackers to explore the network further and exfiltrate sensitive data.
Microsoft’s Mitigation Recommendations for Enhanced Security
In response, Microsoft provides a comprehensive set of defensive measures to help organizations protect against these sophisticated password spray attacks:
- Multi-Factor Authentication (MFA): Enforce MFA on every account to significantly reduce the chances of credential compromise. They recommend eliminating any exceptions to MFA and mandating it across all devices, networks, and environments.
- Passwordless Authentication Methods: Cybersecurity advisors should encourage clients to transition to passwordless methods like Azure MFA, Windows Hello for Business, or certificates. By removing traditional passwords, organizations close off the main avenue for password spray attacks.
- Blocking Legacy Authentication: Legacy authentication lacks MFA capabilities, making it an attractive target for attackers. Microsoft advises blocking these protocols through Azure AD Conditional Access policies, a step every cybersecurity company should integrate into client recommendations to prevent unauthorized logins.
- Enhanced Credential Hygiene: Educate users about password security, avoid password reuse, and disable unused accounts. Effective credential hygiene, is a critical component of organizational security and reduces an attacker’s entry points.
- Identity and Access Management Policies: Organizations are advised to leverage Azure AD Conditional Access policies to restrict or allow access based on specific criteria, such as the user’s location or device. This policy-driven access control can significantly hinder unauthorized access.
- Continuous Monitoring and Anomaly Detection: By using Microsoft 365 Defender’s anomaly detection capabilities, organizations can track irregular activity and investigate it immediately. Regular auditing of account activities, especially privileged accounts, ensures that any unauthorized attempts are quickly identified.
- Blocking Known Weak Passwords: Azure AD password protection offers mechanisms to prevent users from setting weak or commonly compromised passwords. This layer of defense strengthens an organization’s overall password policy.
- Securing Remote Access Points: Given that many attacks exploit weaknesses in remote desktop environments, Microsoft advises securing RDP endpoints and Windows Virtual Desktops with MFA. This reduces the potential for attackers to leverage exposed remote access points in their operations.
- Educating Employees on Phishing and MFA Fatigue: Cybersecurity training programs are essential for educating employees about phishing tactics and MFA fatigue attacks. Microsoft suggests encouraging users to report any unsolicited MFA requests or suspicious login prompts.
Shifting Tactics and Future Threats
Microsoft also notes that CovertNetwork-1658’s activity has slightly declined following public exposure, likely indicating that the attackers are adjusting their tactics to evade detection. The threat actors may be acquiring new infrastructure with modified fingerprints to stay under the radar. Although botnet activity has slowed temporarily, Microsoft warns that the attackers could re-emerge with a more extensive and sophisticated infrastructure, posing a renewed threat across multiple sectors and geographic regions.
By implementing these advanced defenses, organizations can bolster their security against password spray attacks. This multi-layered approach not only deters unauthorized access attempts but also fosters a culture of cybersecurity awareness that empowers users to actively defend against evolving threats.