Numerous Chinese threat groups, including Storm-0940, have been leveraging account credentials stolen in password spray intrusions by the suspected China-based Quad7 botnet — also known as CovertNetwork-1658 or xlogin and consists of breached SOHO routers — to facilitate further compromise, BleepingComputer reports.
After Quad7's successful exfiltration of targeted systems' passwords through a limited number of sign-in attempts meant to evade detection, Storm-0940 immediately utilized the stolen credentials to breach networks, conduct credential dumping, and deploy remote access trojans and proxy tools to ensure persistence as part of a possible cyberespionage attack, an analysis from the Microsoft Threat Intelligence team showed. While Quad7's exact means of breaching SOHO routers remain uncertain, an OpenWRT zero-day vulnerability was previously noted by Sekoia researchers to have been leveraged by threat actors to hack one of its honeypots. "We waited less than a week before observing a notable attack that chained an unauthenticated file disclosure which seems to be not public at this time (according to a Google search) and a command injection," said Sekoia researchers.