Researchers recently uncovered a sophisticated password spray campaign orchestrated by Chinese threat actors leveraging a compromised network, called CovertNetwork-1658, to steal credentials from Microsoft customers. Using a network of compromised devices, specifically TP-Link SOHO routers, attackers conducted highly evasive attacks targeting organisations in North America and Europe, including government, nonprofit, and private sectors. These credentials were then used by threat actors, such as Storm-0940, to gain unauthorised access to systems.

You might be interested in this article: 101 | Password Spray Attack

The technical approach involves the use of brute-force attacks combined with a covert infrastructure to evade detection. Attackers established remote access by installing Telnet and xlogin binaries on compromised routers and deployed a SOCKS5 server to create a proxy network. This infrastructure obscures the origin of the attacks by rotating IP addresses, and by limiting password attempts to a single attempt per account per day, attackers bypass traditional security alerts. Storm-0940 then exploits these credentials to conduct further malicious activities, including network scanning, credential dumping, and persistence establishment on compromised systems.

Key Takeaways:

• Attack Vector: Password spray attacks using a covert network of compromised TP-Link SOHO routers.
• Infrastructure Masking: Use of rotating IP addresses and a SOCKS5 proxy network to evade detection.
• Primary Threat Actor: Storm-0940, targeting North American and European organisations.
• Post-Attack Actions: Network scanning, credential dumping, installation of persistence tools, and data exfiltration.
• Mitigation: Recommendations include strengthening password policies, implementing network segmentation, and monitoring for suspicious IP addresses.

This attack highlights the increased sophistication of password spray techniques, using compromised devices and complex infrastructure to evade detection and infiltrate target systems. Organisations need to adopt stronger password policies, employ network segmentation, and use advanced monitoring to identify and mitigate such threats effectively.

Source and further reading.

Mishra, A., & Mishra, A. (2024, November 4). Chinese hackers attacking Microsoft customers with sophisticated password spray attacks. GBHackers Security | #1 Globally Trusted Cyber Security News Platform. https://gbhackers.com/chinese-password-attacks-microsoft/amp/