Source URL: https://www.microsoft.com/en-us/security/blog/2024/10/31/chinese-threat-actor-storm-0940-uses-credentials-from-password-spray-attacks-from-a-covert-network/
Source: Microsoft Security Blog
Title: Chinese threat actor Storm-0940 uses credentials from password spray attacks from a covert network
Feedly Summary: Since August 2023, Microsoft has observed intrusion activity targeting and successfully stealing credentials from multiple Microsoft customers that is enabled by highly evasive password spray attacks. Microsoft has linked the source of these password spray attacks to a network of compromised devices we track as CovertNetwork-1658, also known as xlogin and Quad7 (7777). Microsoft is […]
The post Chinese threat actor Storm-0940 uses credentials from password spray attacks from a covert network appeared first on Microsoft Security Blog.
AI Summary and Description: Yes
**Summary:** The text details a significant intrusion activity highlighted by Microsoft, where a covert network known as CovertNetwork-1658 has been involved in advanced password spray attacks. These attacks allow threat actors, particularly a Chinese group named Storm-0940, to steal credentials, gain unauthorized access, and exploit various organizations. The article emphasizes the need for heightened security measures, including multi-factor authentication and improved credential hygiene, to mitigate these risks.
**Detailed Description:**
The provided text outlines a series of malicious activities attributed to a network of compromised devices tracked as CovertNetwork-1658, suspected to be orchestrated by Chinese threat actors, specifically Storm-0940. Key points from the text include:
– **CovertNetwork-1658 Overview**:
– A network primarily composed of compromised small office and home office (SOHO) routers, mostly TP-Link devices.
– Used by threat actors to launch password spray attacks, which are initiated from a rotating set of multiple IP addresses to avoid detection.
– **Threat Actor Operations**:
– Microsoft has connected Storm-0940 with the exploitation of credentials obtained through these password spray attacks.
– Targeted sectors include governmental and non-governmental organizations, law firms, and defense entities in North America and Europe.
– **Attack Methodology**:
– Initial access is gained via password spray attacks, typically involving minimal sign-in attempts (often just one) to many different accounts per day.
– Once a foothold is established, the actors can engage in various activities such as scanning networks for vulnerabilities, installing backdoors, and data exfiltration.
– **Mitigation Recommendations**:
– Educating users on credential hygiene and avoiding password reuse.
– Enforcing multi-factor authentication (MFA) and considering transitioning to passwordless authentication methods.
– Implementing strict monitoring and conditional access policies within cloud environments (e.g., Azure).
– **Detection Strategies**:
– Utilizing Microsoft’s security tools to identify suspicious activities indicating credential misuse, including tracking anomalous sign-in properties and failed login attempts from multiple locations.
– Suggested advanced hunting queries are provided to help organizations detect potential Storm-0940 activities in their environment.
– **Public Awareness and Threat Evolution**:
– Microsoft notes a decline in CovertNetwork-1658 activities following public exposure of their tactics, suggesting they may have transitioned to new infrastructure.
– Historical data on the compromised devices and patterns of attack serves to illustrate the persistent nature and adaptability of these threat actors.
Overall, the communication underscores the increasing complexity and sophistication of cyber threats, particularly from nation-state actors, and the critical need for continuous improvement in security protocols to defend against such incursions. The recommendations serve as actionable steps for security and compliance professionals to bolster defenses in their organizations.