The arrival of a new cyber threat is apparently hovering over Western government organizations, which have ended up in the crosshairs of a Chinese botnet that has been renamed “Quad7”: according to a report created by Microsoft, a group of hackers has already begun to carry out a series of particularly dangerous and difficult to counteract attacks.
According to what was reported by the security experts of the Redmond giant, the cyber incursion activity attributed to “Storm-0940” is trying to undermine the defenses of numerous organizations in the Western world for espionage purposes. To do this, Chinese hackers are apparently exploiting the “password spray” technique, i.e. using numerous access keys to break down the IT protections placed to protect the sensitive data stored by the targeted groups.
The goal of cybercriminals, once they have overcome their victims’ defenses, is to establish themselves permanently on the compromised computer systems and acquire the information. Microsoft reported that, based on the data in its possession, government bodies, think tanks, non-profit organizations and NGOs, law firms and industrial groups associated with defense were targeted by “Storm-0940”.
Redmond security experts explain that hackers, who rely on the infrastructure CovertNetwork-1658they are proceeding with great skill and without going overboard to avoid attracting too much attention: “In around 80% of the cases examined, they try to make only one connection for each targeted account every 24 hours to avoid being noticed”the researchers declared. Proceeding with the headlights off has often helped cybercriminals to circumvent the main systems for detecting computer intrusion.
“Quad7”, a botnet so named due to the fact that it mainly uses port 7777, was identified for the first time by the expert Gi7w0rm and the Sekoia team. Initially the target was only TP-Link routers, but the weapons at its disposal have expanded considerably in recent times: now ASUS routers, Zyxel VPN access points, Ruckus wireless routers and Axentra media servers are also at risk . For each of the devices mentioned above, cybercriminals have created ad hoc malware, developing several cluster insidious: These, called variants of the term “login” such as xlogin, ylogin or qlogin, differ from each other in size depending on whether they contain a large number of infected devices or not.
Speed is the key to the hackers’ strategy, who enter the infected device by installing Rat and Proxy remote access tools in the
the moment they identify the access key. The advice of Microsoft experts is to carry out investigations if you use one of the routers targeted by “Storm-0940” for your network.