Recent reports have revealed that a sophisticated botnet, dubbed CovertNetwork-1658 by Microsoft, has been used by Chinese threat actors to execute highly evasive password spray attacks targeting Microsoft Azure cloud service users. These attacks leverage a vast network of compromised devices to gain unauthorized access to accounts, posing significant risks to organizations across multiple sectors.
The Botnet: CovertNetwork-1658 (Botnet-7777)
Initially documented in October 2023 by researchers, the botnet—referred to as Botnet-7777—comprises more than 16,000 compromised devices at its peak. These devices, predominantly TP-Link routers, operate on port 7777, where malicious activity is exposed. By July and August 2024, security researchers from Team Cymru and Sekoia.io confirmed that the botnet remained operational, though its size had decreased to an estimated 8,000 devices. The persistence of the botnet highlights its robustness and continued threat.
The botnet enables password spraying, a brute-force attack that uses a wide range of IP addresses to send login attempts to targeted accounts. By limiting attempts from individual devices, the attack avoids triggering standard detection mechanisms, making it highly evasive and difficult for targeted services to identify and block.
Microsoft’s Findings: Scale and Impact
In October 2024, Microsoft reported that CovertNetwork-1658 had been employed by multiple Chinese threat actors in account takeover campaigns. These attackers utilize compromised credentials to infiltrate Azure accounts and escalate their activities within targeted networks. Once inside, they perform lateral movement, data exfiltration, and the installation of remote-access trojans (RATs).
One group identified as using the botnet, Storm-0940, regularly targets high-value organizations such as think tanks, government agencies, NGOs, law firms, and defense entities across North America and Europe. Microsoft emphasized that the botnet’s operational agility—combining the quick turnover of stolen credentials with extensive infrastructure—enables it to compromise accounts across diverse industries and geographic locations.
The reports from July and August 2024 by Team Cymru and Sekoia.io further demonstrated the botnet’s sophisticated tactics. By spreading login attempts across thousands of devices, the campaign maintained a low detection profile, frustrating traditional defenses and allowing attackers to scale their operations effectively.
Mitigation Challenges
Although the botnet’s malware often resides in volatile memory, meaning it can be removed through a simple reboot, this solution is temporary. Devices remain susceptible to reinfection if underlying vulnerabilities are not addressed. Moreover, the increasing sophistication of these attacks raises concerns about the sufficiency of traditional defense mechanisms like multi-factor authentication (MFA), which can be bypassed in certain cases.
Enhancing Security Posture With ‘Clean Keyboard’ Approach
The password spray attacks on Azure highlight the need for advanced security measures to protect privileged accounts and critical systems. Tim Royston-Webb, CEO of SentryBay, stresses the importance of adopting a “clean keyboard” approach for Privileged Access Workstations (PAWs). This strategy involves limiting access to sensitive systems and encrypting entry points, such as keyboards, to prevent credential theft at its source.
“Data breaches like these demonstrate that defensive postures alone are insufficient. As seen with this attack, spreading login attempts across thousands of devices can bypass MFA, exposing accounts. Protecting the point of entry, the keyboard, will complete the security layer necessary to reduce the risk of exposure,” Royston-Webb said.
The Importance of Robust Defensive Measures
The attacks on Microsoft Azure accounts underscore the growing threat of botnet-enabled password spraying campaigns, particularly those orchestrated by nation-state actors. The persistence of CovertNetwork-1658, as evidenced by reports in July, August, and October 2024, illustrates the evolving threat landscape and the need for constant vigilance.
To mitigate risks, organizations must adopt proactive measures, including:
- Implementing Privileged Access Workstations with encrypted inputs.
- Regularly monitoring account activity and enforcing strong credential hygiene.
- Addressing vulnerabilities in IoT devices and ensuring timely patching.
The need for comprehensive, multi-layered security has never been more pressing as adversaries refine their techniques to exploit even minor weaknesses in modern cloud ecosystems. SentryBay’s Armored Client, the core OEM technology behind Citrix App Protection, has been established as a proven defense against infostealer malware for Microsoft AVD and W365 endpoints. This solution leverages endpoint access isolation to deliver robust protection without compromising performance. It provides advanced safeguards against keystroke logging, screen scraping, and malicious DLL injection attacks.
