Chinese hackers have been using a botnet made up almost exclusively of TP-Link routers to attack Microsoft Azure for years.
Hackers with ties to the Chinese government have been attacking Microsoft Azure with a botnet for at least more than a year. The criminals use the botnet for so-called password spray attacks, in which they frequently try out passwords to log into accounts.
Rotating IPs
The botnet in question counted about 16,000 compromised devices at its peak, and is said to consist of 8,000 devices on average. It is notable that almost all of those devices are routers from TP-Link. Security researchers named the network Botnet-7777 because it operates on, you guessed it, port 7777. Microsoft uses a different name: CovertNetwork-1658. It has been tracking rogue activity since August 2023.
The botnet enables password spray attacks despite Microsoft’s protective measures. After all, several incorrect login attempts on an account cause an IP address to be blocked, but thanks to the botnet, the Chinese hackers have thousands of different addresses at their disposal, which they can alternate. This allows them to try many more passwords.
Unclear infection vector
It is unclear how the hackers initially make their way into TP-Link’s devices. When they gain access, they do take the same steps each time. They download software to establish remote access (via port 7777) and initialize a SOCKS5 server on TCP port 11288.
Microsoft reports that the botnet’s attacks have abated a bit in recent months, but suspects that this lull is only temporary. Now that the network is coming to public attention, the attackers presumably want to reconfigure it and make it anonymous again.
Reboot
What you can do as the owner of a TP-Link router is also not so clear, as the source of the infections remains a mystery. It does appear that criminals can work exclusively in memory, and cannot write to storage. That implies that rebooting a device is at least temporarily sufficient to stomp out the attackers. If you have a TP-Link router, it’s not a bad plan to schedule such reboots.
Those on Microsoft Azure can protect themselves in the usual way: make sure you have good passwords that don’t circulate on the dark web, and enable MFA.