Microsoft revealed that the Quad7 botnet is believed to be operating from China, with some hacker threat actors exploiting compromised routers to steal credentials through password spray attacks.
“Microsoft assesses that credentials obtained from password spray operation CovertNetwork-1658 were used by multiple Chinese threat actors,” Microsoft said in a new report.
“Specifically, Microsoft has observed Chinese threat actor Storm-0940 using credentials from CovertNetwork-1658,” the company continued.
When carrying out password spray attacks, Microsoft said the threat actor was not aggressive, only trying to log in a few times per account, possibly to avoid security system alerts.
“In this campaign, CovertNetwork-1658 sent a small number of sign-in attempts to many accounts at the target organization,” Microsoft said.
“In approximately 80 percent of cases, CovertNetwork-1658 only makes one login attempt per account per day,” he continued.