16,000 Infected TP-Link Routers: How Chinese Hackers Bypass Azure Security

By Riley ThompsonTechnology News

16,000 Infected TP-Link Routers: How Chinese Hackers Bypass Azure Security

Microsoft recently reported a new threat from Chinese hackers who are leveraging a vast network of infected TP-Link routers and other internet-connected devices to attack users of the Azure cloud service. This network, known as CovertNetwork-1658, actively conducts password-spraying attacks—attempts to guess passwords by making mass login attempts from different IP addresses, which helps them bypass security systems.

The CovertNetwork-1658 network, which includes up to 16,000 compromised devices, was first discovered by researchers in October 2023. A key feature of this network is the use of port 7777 to control infected devices, which is why it’s also called Botnet-7777. According to Microsoft, several Chinese hacker groups use this network to compromise Azure accounts, posing a serious security threat across various sectors.

Experts estimate that CovertNetwork-1658 uses hundreds of IP addresses with a short activity period—about 90 days. This makes it difficult to detect attacks, as each IP address only makes a limited number of login attempts, reducing the chance of being flagged by security systems.

An important component of this attack is the botnet infrastructure, which increases the likelihood of successfully hacking accounts. Microsoft stated that much of the compromised data is instantly shared between CovertNetwork-1658 and affiliated hacker groups, such as Storm-0940. This group targets organizations in North America and Europe, including think tanks, government agencies, and defense institutions.

After gaining access to an account, attackers use lateral movement within the network to install additional malware and exfiltrate data.

How Hackers Bypass Security Systems

Microsoft also highlighted the challenges in detecting these attacks. The main methods used to bypass security systems include:

  • Using compromised IP addresses from home routers
  • Rotating IP addresses to create the illusion of many different sources
  • Limiting the number of password attempts to avoid triggering monitoring systems

Recently, activity from CovertNetwork-1658 has decreased, but this does not mean the network has stopped operating. Microsoft believes the network is expanding its infrastructure and changing its digital fingerprints to evade previously identified security measures.

Recommendations for Protection

Experts recommend periodically rebooting your devices, as most do not retain malware after a restart. However, this does not prevent them from being reinfected.

Leave a Reply