Microsoft recently reported about a new threat emanating from Chinese hackers that use a vast network of TP-Link infected and other devices connected to the Internet for users Azure cloud service. This network, known as CoverTnetwork-1658, actively uses attacks like Password-Spraying-attempts to choose passwords by mass entrances from different IP addresses, which allows you to bypass security systems.
The CoverTnetwork-1658 network, including up to 16,000 hacked devices, was first discovered by researchers in October 2023. A feature of the network is the use of Port 7777 to manage infected devices, which caused the name Botnet-7777. According to Microsoft, the network is used by several Chinese groups of hackers to compromise accounts in Azure, which creates a serious threat to safety in different sectors.
According to experts, CoverTnetwork-1658 uses hundreds of IP addresses with a short period of activity-about 90 days. This makes it difficult to detect attacks, since each IP address makes only a limited number of entry attempts, which reduces the likelihood of detection.
An important component of this attack is the support of the Botnet infrastructure, which allows you to increase the likelihood of successful hacking of accounts. Microsoft said that many compromised data are instantly transmitted between CoverTnetwork-1658 and affiliated hacker groups such as Storm-0940. This group is aimed at institutions of North America and Europe, including analytical centers, government and defense structures.
To penetrate the network, attackers use side moving over the network after receiving access to one of the accounts, which allows you to establish additional malicious programs and exfiltrate the data.
Microsoft also drew attention to the difficulties with the detection of such attacks. The main methods of bypassing security systems include:
- the use of compromised IP addresses of home routers;
- rotation of IP addresses, which creates the illusion of many different sources;
- limited in terms of attempt to select passwords so as not to arouse suspicion of monitoring systems.
Recently, the activity of CoverTnetwork-1658 has decreased, but this does not indicate the cessation of its activities. Microsoft believes that the network expands its infrastructure