Chinese threat actor Storm-0940 has been stealing credentials from Microsoft customers by leveraging the Quad7 botnet to launch highly-evasive password spray attacks on a broad cross-section of organizations in Europe and North America.
In an October 31 blog post, Microsoft Threat Intelligence said Storm-0940 has been active since at least 2021 and typically obtains access through password spray and brute-force attacks, or by exploiting or misusing network edge applications and services.
Microsoft said as many as 8,000 compromised devices are estimated to be active in the network at any given time, although just 20% of those devices run the password spray attacks.
Research posted on Sept. 9 by Sekoia reported that the Quad7 botnet operators tend to compromise several brands of SOHO routers and VPN appliances, including TP-LINK, Zyxel, Asus, Axentra, D-Link, and Netgear, using multiple vulnerabilities—some of which are previously unknown.
For security pros, these attacks brought to light how even with the pandemic mostly in the rearview mirror, organizations still depend on remote workers -- and attackers will prey on home and remote workers who may not be following best security practices.
While the initial perception might be that Storm-0940's password spray attacks are predominantly targeting home networks because of the prevalence of remote work, corporate networks remain a significant concern, said Jason Soroko, senior fellow at Sectigo. Soroko said many organizations still have employees working remotely full-time or part-time, along with contractors and vendors who require network access.
“This expansive attack surface increases the likelihood of successful credential compromise,” said Soroko. “Corporate security teams should not overlook the potential impact on their organizational networks. Storm-0940 has demonstrated capability in breaching corporate environments by exploiting weak passwords, underscoring the importance of robust password policies and multi-factor authentication. Additionally, regular employee training on cybersecurity best practices can help mitigate human error-related vulnerabilities.”
The rise of Storm-0940 and its use of the Quad7 botnet serves as yet another reminder attackers are increasingly targeting vulnerabilities in everyday devices, such as home routers and VPNs, to infiltrate corporate networks, said Jim Edwards, senior director of engineer at Keeper Security. Edwards said as remote work remains common, organizations must adopt a comprehensive security strategy that goes beyond traditional defenses.
“It’s critical for organizations to address the weak credentials that often serve as low-hanging fruit for attackers,” said Edwards. “Security teams must implement rigorous password policies, requiring strong and unique passwords for all accounts: MFA is essential: it adds an extra layer of security that significantly reduces the chances of unauthorized access.”