As per estimates, more than 8,000 compromised devices are active in the network at any given moment.
Microsoft recently discovered a series of password spray attacks orchestrated by a Chinese botnet. This botnet has been identified as Quad7, which is using another sub-group known as CovertNetwork-1658 to launch the attacks. As for the botnet itself, it is believed to be controlled by a threat group called Storm-0940.
Note: A botnet is a group of interconnected devices that are infected with malware and controlled by one single authority. They are usually used to infiltrate other devices.
The main purpose of the attack is to try and break into the victim's account with the help of password spraying - a technique in which a threat actor uses a single password to break into multiple accounts.
Once an account is successfully compromised, the next stage of the attack is launched which includes extracting additional credential details and launching remote tools and commands to maintain control over the device.
Speaking of the victims, the attacks are mostly targeted at high-level organizations such as NGOs, think tanks, government bodies, defense companies, and law firms.
The total number of victims is unknown as of now. However, as per estimates, approximately 8,000 compromised devices are there in the network at any given moment. However, only 20% of these have been compromised by password spraying.
Neither of them is a new threat. Storm-0940 has been active since 2021 and has been known to target its victims with password spraying or brute force attacks. Its victims include both government and non-government entities. As long as an organization has confidential data that can cause mass disruption if leaked, it's a potential target for the group.
The botnet Quad7 was more recently discovered. In September this year, a researcher called Gi7w0rm and experts from Sekoia found that it targets TP-lInk routers.
But then it expanded its range and started attacking ASUS routers, Ruckus wireless routers, Axentra media servers, and Zyxel VPN endpoints.
All it takes is access to a single, top-level executive's device to bring an entire organization to its knees.
So what we need right now is robust security measures at every level of an organization and to secure every endpoint so that these threat actors cannot find a way to break in. We also need better monitoring so that such activity is detected as soon as possible.