Microsoft has warned about the threat group Storm-0940, which utilizes botnets called Quad7 to conduct password attacks. This group is primarily known to target organizations in North America and Europe, including government and defense entities. The group is suspected to have links to the Chinese government, with espionage being a potential objective.
As described by the blog post, “Microsoft tracks a network of compromised small office and home office (SOHO) routers as CovertNetwork-1658. SOHO routers manufactured by TP-Link make up most of this network. “
After gaining access to a victim’s environment, Storm-0940 has been observed using scanning and credential dumping tools for lateral movement, while also installing proxy tools and remote access trojans (RATs) on network devices for persistence, ultimately attempting to exfiltrate data through custom malware targeting various groups of devices.
Microsoft advises organizations to enhance credential hygiene and secure cloud identities against password-spraying attacks. Key measures include educating users on password security, enforcing multi-factor authentication (MFA), exploring passwordless methods, and securing Remote Desktop Protocol (RDP) endpoints. Additionally, disabling legacy authentication and utilizing identity protection solutions are recommended to strengthen overall security.
Let Otonata’s cybersecurity experts help you navigate and strengthen your defences against evolving threats.
Source: Chinese threat actor Storm-0940 uses credentials from password spray attacks from a covert network
