Password spraying is a type of brute force attack where an attacker attempts to access multiple user accounts by trying a small number of common passwords across many usernames.
This method is useful as it avoids triggering account lockouts that typically occur when multiple incorrect passwords are attempted on a single account.
Microsoft Threat Intelligence team recently discovered that Chinese hackers have been actively attacking Microsoft customers with sophisticated password spray attacks.
Chinese Hackers Attacking Microsoft Customers
Since “August 2023” the Chinese threat actors dubbed “Storm-0940” have been directing sophisticated cyberattacks using a network of compromised SOHO routers by TP-Link.
All these are collectively termed as “CovertNetwork-1658” (aka ‘xlogin’ and ‘Quad7’).
This network operates by exploiting router vulnerabilities to gain RCE capabilities after which the threat actors install specific tools like “Telnet binary,” “xlogin backdoor,” and “SOCKS5 server” running on TCP ports ‘7777’ and ‘11288.’
Build an in-house SOC or outsource SOC-as-a-Service -> Calculate Costs
Threat actors employ a highly evasive technique called “password spray attacks,” where they make minimal login attempts across multiple accounts to avoid detection, using thousands of “rotating IP addresses” with an average uptime of “90 days.”
These compromised credentials were then used to target various high-profile organizations across “North America” and “Europe.”
The organizations are like:-
- Government bodies
- Think tanks
- NGOs
- Law firms
- Defense industrial bases
Following public exposure by security vendors like “Sekoia” and “Team Cymru” in mid-2024, the usage of the original infrastructure dropped remarkably.
However, Microsoft estimates that the threat actors are likely adapting their infrastructure with “modified fingerprints” to continue their operations.
Microsoft’s security monitoring has identified a sophisticated cyber threat network called “CovertNetwork-1658,” which consistently maintains control over 8,000 compromised computers, with approximately 20% of these devices simultaneously conducting password-spraying attacks.
The network’s infrastructure is used by Chinese threat actors “Storm-0940,” who demonstrate an alarmingly efficient operation where compromised credentials are exploited within the same day of the theft.
Here specific browser identifiers (User Agent Strings) were used by the threat actors including “Mozilla/5.0” for Windows 10 systems with “Chrome” and “Internet Explorer” browsers to conduct their attacks.
Once Storm-0940 gains initial access to a target organization’s network using these stolen credentials, they employ a systematic approach:-
- First using credential dumping tools for lateral movement.
- Then installing proxy tools and Remote Access Trojans to maintain persistent access.
- Finally, attempt to exfiltrate sensitive data from the compromised organizations.
This affects “multiple sectors” and “geographical regions globally.”
Recommendations
Here below we have mentioned all the recommendations:-
- Educate on credential hygiene and avoiding password reuse.
- Enforce MFA everywhere; remove exclusions.
- Transition to passwordless.
- Secure RDP and virtual desktops with MFA.
- Enable passwordless options where supported.
- Disable legacy authentication.
- Use cloud identity security to detect threats.
- Disable unused accounts.
- Reset passwords for targeted accounts.
- Apply Azure Security Benchmark for identity security.
- Set conditional access policies.
- Block legacy authentication via Azure AD.
- Enable extranet lockout for brute force defense.
- Use least privilege and audit privileged accounts.
- Deploy ADFS monitoring with Azure AD Connect Health.
- Block weak passwords with Azure AD protection.
- Enable identity protection for risk monitoring.
- Train users on phishing and MFA fatigue.
- Review Defender anomaly detection policies.
Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!