Introduction
Based on reports from Microsoft Storm-0940 has been seen using compromised routers to route traffic for their password spray attacks. This helps to hide the true origin IP of the password spray attack. This threat actor is referred to as CovertNetwork-1658, xlogin and Quad7 (7777) in various threat reports by different vendors.
How they do it
Initial Access is gained by exploiting vulnerable TP-Link routers to gain RCE.
A Telnet binary from a FTP server is downloaded.
xlogin backdoor binary is downloaded onto the device.
A shell is started on the compromised device.
Socks5 server is downloaded.
Traffic is routed via the infected device.
Threat Actor TTP’s
After compromising the network TA was seen scanning the internal networks.
Installing Remote Access Toolkit.
In a few cases Data exfiltration was well.
Detection
Below are User Agent Strings observed in the password spray activity:
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/80.0.3987.149 Safari/537.36Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Prevention
If you're a Small company use regular patching cycles for your edge devices. An easy way to do this is by using vulnerability scanners.
Check the egress traffic from your edge devices for any abnormal traffic patterns.
Automate updates for routers.
Remove the management console from the internet.
Comments