Microsoft Warns of Major Credential Theft by Chinese Hackers Via Covert Network Attacks

Since August last year, Microsoft has identified a surge in intrusion activity with attackers using sophisticated password spray techniques to steal credentials from multiple customers. The company has linked this wave of attacks to a network of compromised devices known as CovertNetwork-1658, also called xlogin and Quad7 (7777).

According to a recent blog by the tech giant, credentials compromised via CovertNetwork-1658 have been used by Chinese hacking groups, including the threat actor Storm-0940. Since at least 2021, Storm-0940 has gained access through password sprays and brute-force attacks, often targeting high-profile entities such as government entities, think tanks, and legal firms across North America and Europe.

CovertNetwork-1658 consists of compromised small office and home office (SOHO) routers, primarily manufactured by TP-Link. Attackers use these compromised routers to obscure the origin of their password spray attempts, a tactic that Microsoft has observed across thousands of IP addresses rotating frequently to evade detection. Microsoft’s analysis shows that around 80% of these attacks are conducted with minimal sign-in attempts per account to bypass monitoring efforts.

In particular, CovertNetwork-1658 has proven challenging for cybersecurity experts to track due to the high volume of compromised devices and their frequent IP address rotation. Microsoft’s data shows that the network peaked in activity but declined after other security vendors, including Sekoia and Team Cymru, publicly exposed its operations earlier this year.

Microsoft has been mitigating the threat by notifying affected clients directly and providing detailed guidance to help secure compromised environments. Additionally, the company has shared several security recommendations to thwart such attacks, including enforcing multi-factor authentication (MFA), adopting passwordless authentication methods, and restricting legacy authentication protocols.

An Expansive Attack Surface

Jason Soroko, Senior Fellow at Sectigo, comments: “While the initial perception might be that Storm-0940’s password spray attacks predominantly target home networks due to the prevalence of remote work, corporate networks remain a significant concern. Many organizations still have employees working remotely full-time or part-time, along with contractors and vendors who require network access. This expansive attack surface increases the likelihood of successful credential compromise.”

He says corporate security teams should recognize the potential impact on their company networks. This malicious actor has demonstrated capability in breaching corporate environments by exploiting weak passwords, highlighting the importance of robust password policies and multi-factor authentication (MFA).

“Additionally, regular employee training on cybersecurity best practices can help mitigate human error-related vulnerabilities,” Soroko adds.

He adds that blocking ports is often used to secure networks against external threats. “However, Storm-0940’s tactics rely not solely on direct network penetration through open ports; they also leverage stolen credentials for lateral movement within breached environments. Therefore, while port blocking remains an essential security measure, it should be complemented by comprehensive strategies such as regular software updates and patch management, strong access controls, and constant monitoring of unusual network activity.”

Targetting Everyday Devices

“The rise of Storm-0940 and its use of the Quad7 botnet serves as yet another reminder that the cybersecurity landscape is evolving,” says Jim Edwards, Senior Director of Engineering at Keeper Security. Bad actors target vulnerabilities in everyday devices like home routers and VPNs to gain a foothold in corporate networks. As remote work remains popular, entities must adopt a comprehensive security strategy beyond traditional defenses.

First, Edwards says it’s key for firms to address the weak credentials that often serve as low-hanging fruit for attackers. “Security teams must implement rigorous password policies, requiring strong and unique passwords for all accounts. Multi-factor authentication (MFA) is essential, adding an extra layer of security that significantly reduces the chances of unauthorized access.

While adopting a zero-trust architecture is an important step, entities should also focus on Privileged Access Management (PAM) to protect sensitive information, he says. “By limiting access to critical systems and continuously monitoring account activity, PAM can help mitigate risks from compromised accounts.”

Edwards also recommends Endpoint Device Management (EDM). “Keeping software updated and ensuring consistent security patching across all environments—cloud and on-premise—helps close off avenues that attackers might exploit. Integrating advanced monitoring tools to provide real-time visibility into network activity is crucial. This enables security teams to detect anomalies early and respond swiftly, preventing minor issues from escalating into major breaches.”