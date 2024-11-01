Breach, Identity, Threat Intelligence

Quad7 botnet-compromised credentials tapped by various Chinese hackers

Security breach, system hacked alert with red broken padlock icon showing unsecure data under cyberattack, vulnerable access, compromised password, virus infection, internet network with binary code

Numerous Chinese threat groups, including Storm-0940, have been leveraging account credentials stolen in password spray intrusions by the suspected China-based Quad7 botnet — also known as CovertNetwork-1658 or xlogin and consists of breached SOHO routers — to facilitate further compromise, BleepingComputer reports.

After Quad7's successful exfiltration of targeted systems' passwords through a limited number of sign-in attempts meant to evade detection, Storm-0940 immediately utilized the stolen credentials to breach networks, conduct credential dumping, and deploy remote access trojans and proxy tools to ensure persistence as part of a possible cyberespionage attack, an analysis from the Microsoft Threat Intelligence team showed. While Quad7's exact means of breaching SOHO routers remain uncertain, an OpenWRT zero-day vulnerability was previously noted by Sekoia researchers to have been leveraged by threat actors to hack one of its honeypots. "We waited less than a week before observing a notable attack that chained an unauthenticated file disclosure which seems to be not public at this time (according to a Google search) and a command injection," said Sekoia researchers.

