Microsoft has reported on the CovertNetwork-1658 hacker group from China that exploits vulnerabilities in TP-Link routers primarily to target another victim’s passwords. Once the hackers breach the router, they install malware and open a command channel through port 7777, then use the routers to spray passwords using a password spray technique, with each router attempting just 1-2 password guesses per account per day. This method makes it challenging for organizations like Microsoft to detect and catch them, as these home internet routers often change IP addresses and blocking them becomes complex after just one incorrect password attempt. Previous reports from research teams like Sekoia and Team Cymru have highlighted this group, leading to a decrease in attacks, though Microsoft anticipates the threat actors haven’t truly ceased their assaults but are merely adjusting tactics to avoid detection.
Microsoft discovered that once CovertNetwork-1658 successfully guesses passwords, the Storm-0940 group leverages them further, likely indicating a connection between the two. Storm-0940 scans for additional passwords and installs software on the victim’s device. Password spray attacks have become prevalent lately because traditional password guessing is increasingly difficult. Microsoft advises customers to assess their password practices, encouraging employees not to reuse passwords, implement two-step login, or even adopt passwordless login methods, in addition to configuring security standards on Azure AD for heightened protection.
TLDR: Microsoft details the activities of the CovertNetwork-1658 hacker group exploiting TP-Link router vulnerabilities to launch password spray attacks, prompting a need for enhanced password security measures and configurations on Azure AD.
Leave a Comment