9621 Agnes Crossing, Lake Suzanneview, New Mexico Island 84604-9295.
Chinese hackers have been using a botnet consisting almost entirely of TP-Link routers to attack Microsoft Azure for years. Hackers with ties to the Chinese government have been
Chinese hackers have been using a botnet consisting almost entirely of TP-Link routers to attack Microsoft Azure for years.
Hackers with ties to the Chinese government have been attacking Microsoft Azure with a botnet for at least more than a year. The criminals use the botnet for so-called Password sprayAttacks where they frequently try passwords to log into accounts.
The botnet in question had approximately 16,000 compromised devices at its peak and is said to consist of an average of 8,000 devices. What is striking is that almost all of these devices are TP-Link routers. Security researchers gave the network a name Botnet-7777 because, you guessed it, it is active on port 7777. Microsoft uses a different name: CovertNetwork-1658. Fraudulent activities have been monitored since August 2023.
The botnet enables password spray attacks despite Microsoft protection measures. Multiple failed login attempts to an account result in an IP address being banned, but thanks to the botnet, Chinese hackers have thousands of different addresses to change. This way you can try out many more passwords.
It is unclear how the hackers initially gained access to TP-Link devices. If they have access, they always take the same steps. You download software to set up remote access (via port 7777) and initialize a SOCKS5 server on TCP port 11288.
Microsoft says botnet attacks have declined somewhat in recent months, but suspects this lull is temporary. Now that the network has become public, the attackers probably want to reconfigure it and make it anonymous again.
What you can do as the owner of a TP-Link router is also not so clear, as the source of the infections remains a mystery. It appears that criminals operate exclusively in memory and cannot write to memory. This means that restarting a device is enough, at least temporarily, to eradicate the attackers. If you have a TP-Link router, scheduling restarts like this isn’t a bad plan.
Anyone who uses Microsoft Azure can protect themselves as usual: ensure good passwords that are not circulating on the dark web and activate MFA.
Source: IT Daily
As an experienced journalist and author, Mary has been reporting on the latest news and trends for over 5 years. With a passion for uncovering the stories behind the headlines, Mary has earned a reputation as a trusted voice in the world of journalism. Her writing style is insightful, engaging and thought-provoking, as she takes a deep dive into the most pressing issues of our time.
