Microsoft Warns of CovertNetwork-1658 Password Spray Attacks

Since August, Chinese threat actors have been targeting and successfully stealing credentials from multiple Microsoft customers through what Microsoft researchers describe as “highly evasive” password spray attacks.

Behind the password spray attacks is a network of compromised small office and home office devices, the majority of which are manufactured by TP-Link. Microsoft categorized this network as CovertNetwork-1658, which “specifically refers to a collection of egress IPs that may be used by one or more Chinese threat actors and is wholly comprised of compromised devices.”

Key Details:

• The network is maintained by a threat actor in China, which exploits vulnerabilities in the routers to pave the way for remote code execution

• After gaining access to vulnerable routers, the threat actor takes several steps to prepare the routers for password spray operations: “CovertNetwork-1658 is observed conducting their password spray campaigns through this proxy network to ensure the password spray attempts originate from the compromised devices,” said researchers

• CovertNetwork-1658 is tough to monitor, due to the use of compromised router IP addresses, the use of a rotating set of IP addresses (the average uptime for a CovertNetwork-1658 node is around 90 days) and the low-volume level of the password spray process, said researchers

• The credentials gathered from CovertNetwork-1658 password spray operations are used by multiple threat actors in various campaigns

Why It Matters: While several Chinese threat actors have been observed using the stolen passwords from this network, Microsoft researchers pointed to one group in particular: Storm-0940. The group has been active since 2021 and is known to target government organizations, NGOs, law firms, defense industrial base organizations and more in North America and Europe. 

Microsoft observed Storm-0940 in multiple cases using CovertNetwork-1658 credentials - and in some cases, using credentials that had been obtained from the network on the same day. After using the credentials to gain initial access, the threat actor would then use various scanning and credential dumping tools for lateral movement, access network devices, install RATs and exfiltrate data.

“This quick operational hand-off of compromised credentials is evidence of a likely close working relationship between the operators of CovertNetwork-1658 and Storm-0940,” said researchers.

The Big Picture: This research sheds more light on the activity associated with this network of routers, which has previously been covered by researchers at Sekoia in July and Team Cymru in August. While the usage of the CovertNetwork-1658 network declined significantly after these blogs were published, “Microsoft assesses that CovertNetwork-1658 has not stopped operations as indicated in recent activity but is likely acquiring new infrastructure with modified fingerprints from what has been publicly disclosed,” according to Microsoft.

“An observed increase in recent activity may be early evidence supporting this assessment,” said researchers.

The Next Steps: Microsoft said it has notified the targeted or compromised customers directly. In its post, Microsoft shared mitigation recommendations and detection information, as well as information to help organizations investigate any related malicious activity.