Microsoft recently warned of an ongoing threat involving a botnet that has been conducting password-spraying attacks against its Azure cloud service for over a year. The attack, linked to Chinese government hackers, utilizes a network of more than 16,000 compromised TP-Link routers worldwide to hijack Azure accounts.
Password spraying is a stealthy brute-force method where attackers make numerous login attempts from various IP addresses, complicating detection. Although the botnet, initially named Botnet-7777 and now referred to as CovertNetwork-1658 by Microsoft, is still operational, only about 8,000 of its devices remain active.
Microsoft’s officials highlighted the potential for widespread credential compromise, stating that “any threat actor using the CovertNetwork-1658 infrastructure could conduct password spraying campaigns at a larger scale.” The group Storm-0940 has been identified as a user of this infrastructure, targeting organizations including think tanks and law firms across multiple regions.
Once attackers gain access to an Azure account, they seek to spread their control across the network, stealing data and creating backdoors for ongoing access. This ongoing threat underscores the need for heightened security measures within cloud services to protect sensitive information.
Feel free to choose either option or let me know if you would like any adjustments!