Thousands of TP-Link Routers Breached in Extended Account Takeover Assaults

Thousands of TP-Link Routers Breached in Extended Account Takeover Assaults

Thousands of TP-Link Routers Breached in Extended Account Takeover Assaults


# The Emergence of Botnet-7777: An Increasing Danger in Password Spraying Incidents

Recently, cybersecurity experts and leading tech firms have been raising concerns about a new and highly stealthy botnet being deployed in password-spraying attacks. Named **Botnet-7777**, this nefarious network is mainly made up of compromised Internet of Things (IoT) devices, including routers and cameras, and is associated with cyberattacks carried out by state-sponsored actors from China. The botnet poses a substantial risk to organizations, especially those utilizing Microsoft’s Azure cloud services, as it facilitates extensive password-spraying operations that are hard to detect.

## What is Botnet-7777?

Botnet-7777 was initially discovered in October 2023 by cybersecurity researchers who found a network encompassing over 16,000 compromised devices, predominantly **TP-Link routers**. The botnet is named after the fact that it exposes its malicious malware on **port 7777**, a hallmark feature that has assisted researchers in monitoring its actions.

The botnet is distributed globally, meaning that affected devices are located in various regions, complicating efforts to identify and dismantle it. At its highest point, Botnet-7777 controlled more than 16,000 devices, but recent assessments indicate this number has fallen to around 8,000 devices. Nevertheless, this decrease in quantity does not signify a reduction in activity; rather, it seems the botnet is adapting and acquiring new infrastructure with altered fingerprints to bypass detection.

## What is Password Spraying?

Password spraying is a variant of brute-force attacks where cybercriminals seek to gain unauthorized access to accounts by testing a limited number of frequently used passwords across many accounts. Unlike standard brute-force attacks that target a single account with numerous password attempts, password spraying disperses the login attempts across various accounts to avoid activating security measures like account lockouts.

In the context of Botnet-7777, the botnet leverages its extensive network of compromised devices to send login attempts from diverse IP addresses. This distributed tactic makes it challenging for security systems to identify the attack, as each individual device only performs a few login attempts, remaining below the detection threshold of conventional intrusion detection systems.

## How Botnet-7777 Functions

Reports from **Microsoft** and other cybersecurity organizations indicate that Botnet-7777 is being utilized by several Chinese threat actors to target **Azure accounts**. The botnet’s capacity for avoiding detection hinges on several critical elements:

1. **Exploitation of Compromised SOHO IP Addresses**: The botnet primarily utilizes IP addresses from small office/home office (SOHO) devices, which are less prone to being marked as malicious by security systems.

2. **IP Address Rotation**: The botnet uses a rotating array of IP addresses, complicating efforts to block or blacklist particular IPs. Typically, a compromised device remains part of the botnet for about 90 days before being substituted with a new device.

3. **Minimal Attack Volume**: The password-spraying attacks conducted by the botnet are characterized by low volume, meaning each device executes only a few login attempts. This mitigates the likelihood of detection by systems that keep track of multiple failed login attempts from a single IP address.

These strategies enable the botnet to carry out large-scale password-spraying campaigns while staying undetected for prolonged durations. Microsoft has cautioned that the botnet’s operators can swiftly transfer compromised credentials to Chinese threat actors, allowing them to access multiple organizations rapidly.

## The Involvement of Chinese Threat Actors

One of the factions utilizing Botnet-7777 is monitored by Microsoft under the designation **Storm-0940**. This group has been connected to cyberattacks aimed at think tanks, governmental bodies, non-governmental organizations (NGOs), legal firms, and defense contractors in North America and Europe. Once they breach an Azure account, the attackers seek to navigate laterally within the network, exfiltrate sensitive information, and deploy remote access trojans (RATs) for sustained access.

Microsoft has documented several occurrences in which Storm-0940 secured valid credentials through Botnet-7777’s password-spraying initiatives. In some instances, the group employed compromised credentials on the same day they were obtained, highlighting a close operational relationship between the botnet operators and the threat actors.

## How Are Devices Being Exploited?

Although the precise method of infection for the devices in Botnet-7777 remains unclear, researchers have pinpointed a recurring pattern of actions taken post-infection. The following steps are generally noted:

1. **Acquisition of Telnet Binary**: The attackers procure a Telnet binary from a remote File Transfer Protocol (FTP) server to the infected device.

2. **Acquisition of xlogin Backdoor**: Subsequently, the attackers download an xlogin backdoor binary from the