Thousands of hacked TP-Link routers being used to hijack Azure accounts

Last week, Microsoft issued a warning that a network of bots (or botnet) is being actively used to carry out advanced password-spraying attacks against users of Microsoft’s Azure cloud computing service. The worst part? It’s been going on for over a year.

As reported by Ars Technica, hackers working for the Chinese government used a botnet — consisting mainly of TP-Link routers, with over 16,000 compromised devices, from around the world — to carry out attacks that hijacked Microsoft Azure accounts.

Password spraying is a type of brute-force attack in which numerous login attempts are made from multiple IP addresses, making it difficult to detect the attacks because each individual device only attempts to log in a few times. With thousands of botnet devices at hand, you can see how effective this method could potentially be.

The Chinese botnet was first discovered in October 2023 by a researcher who named it Botnet-7777. Microsoft officially refers to this botnet as CovertNetwork-1658, and the botnet is still attempting these “highly evasive” attacks to this day, although to a lesser degree — only about 8,000 compromised devices still remain active.

According to Microsoft officials:

“Any threat actor using the CovertNetwork-1658 infrastructure could conduct password spraying campaigns at a larger scale and greatly increase the likelihood of successful credential compromise and initial access to multiple organizations in a short amount of time. This scale, combined with quick operational turnover of compromised credentials between CovertNetwork-1658 and Chinese threat actors, allows for the potential of account compromises across multiple sectors and geographic regions.”

Microsoft also stated that Storm-0940 is one of the groups using CovertNetwork-1658, and this group targets think tanks, governmental and non-governmental organizations, and law firms, not just in North America and Europe but other regions as well.

Once an Azure account is compromised, the malicious actors attempt to spread their infection to other parts of the network, exfiltrating data and installing backdoors for continued access.