Technical News and Reports about Quad 7 (7777) Botnet aka CovertNetwork-1658

Security Advisory
Updated 01-23-2025 23:13:57 PM Number of views for this article264

Microsoft has tracked a network of compromised Small Office / Home Office (SOHO) routers, predominantly TP-Link devices, as CovertNetwork-1658 (also noted as the Quad 7 (7777) botnet). This network is used by Chinese threat actors for password spray attacks against Microsoft 365 accounts. The threat actor exploits vulnerabilities in the routers to gain remote code execution capability.

Sekoia.io monitored a TP-Link WR841N router (3.16.9 Build 150320 Rel.57500n), which is known to be vulnerable to a chained exploit attack used by the Quad 7 botnet. Sekoia observed a notable attack that chained an unauthenticated file disclosure and a command injection. This unauthenticated file disclosure allowed the attacker to retrieve the pair of credentials stored in /tmp/dropbear/dropbearpwd, to replay them in the HTTP Basic authentication of the management interface (NVD - CVE-2023-50224). Once authenticated, the attacker exploited a known command injection vulnerability in the Parental Control page to achieve the RCE (https://openwrt.org/toh/tp-link/tl-mr22u_v1, no documented CVE).

This exploit chain is only available when the end user has enabled the remote administration interface to the internet, which is not configured by default by TP-Link firmware. TP-Link recommends against exposing the remote administration interface to the internet as a matter of course.

Discovery Timeline:

10/19/2023

Independent researchers Gi7w0rm and Dunstable Toblerone published a blog post about a botnet nicknamed Quad7 botnet or 7777 botnet. It notes that initial observation “can be seen, somewhere between June and July 2022”.

https://gi7w0rm.medium.com/the-curious-case-of-the-7777-botnet-86e3464c3ffd

07/23/2024

Sekoia.io, a French network security software operator, investigated the mysterious 7777 botnet (aka. Quad7 botnet) and indicated that the Quad7 botnet operators leverage compromised TP-Link routers to perform password spraying attacks against Microsoft 365 accounts without any specific targeting.

https://blog.sekoia.io/solving-the-7777-botnet-enigma-a-cybersecurity-quest/

09/09/2024

The Quad 7 botnet has expanded to target several brands of SOHO routers and VPN appliances, including TP-LINK, Zyxel, Asus, Axentra, D-Link, and Netgear, using multiple vulnerabilities—some of which are previously unknown.

https://thehackernews.com/2024/09/quad7-botnet-expands-to-target-soho.html

10/31/2024

Microsoft published a blog post where they have observed intrusion activity targeting and successfully stealing credentials from multiple Microsoft customers. This attack leverages highly evasive password spraying attacks , starting in August 2023. Microsoft observes Chinese threat actor Storm-0940 (attributed to Quad 7) using compromised credentials from the password spraying attacks from a covert network comprised mostly of TP-Link SOHO routers.

https://www.microsoft.com/en-us/security/blog/2024/10/31/chinese-threat-actor-storm-0940-uses-credentials-from-password-spray-attacks-from-a-covert-network/

Related CVEs and Known Exploits

NVD - CVE-2023-50224 - According to Sekoia’s analysis, the adversary chained two vulnerabilities: the first is an unauthenticated file disclosure allowing for the retrieval of credentials stored in /tmp/dropbear/dropbearpwd. Reuse of these credentials for HTTP Basic authentication of the management interface. We have been tracking this vulnerability internally as TP-Link Vulnerability Disclosure (TPVD) 202321023 TL-WR841N - dropbearpwd Improper authentication information disclosure vulnerability. Patched firmware for the affected devices can be found here.

Parental Control RCE - the other vulnerability as documented by Sekoia is a command injection vulnerability, post authentication with credentials derived from through CVE-2023-50224 exploitation. In this vulnerability, tampering with the url_0 parameter in the Parental Control page is used to achieve the RCE. This vulnerability had not previously been reported to TP-Link and does not have a CVE. It is currently being tracked internally by TP-Link as TPVD202411095 and we are processing a CVE submission for this vulnerability. Patched firmware for the affected devices can be found here.

Related Firmware and Router Models

There are two router models and associated firmware versions that have been mentioned in the discovery timeline:

  • TL-WR841N/ND(MS) 9.0 Firmware version: 3.16.9 Build 150320 Rel.57500n
  • Archer C7(EU) 2.0, Firmware version 3.15.3 Build 180305 Rel.51282n

The corresponding firmware versions are several revisions behind the latest for these particular TP-Link SOHO Routers. The identified routers have achieved End of Life (EOL) status and are documented in our EOL_List_Home.pdf. These models are not receiving regular updates and do not undergo current development, as they have been replaced by new families of products with superior capabilities and security models. See our TP-Link End-of-Life Policy. The current replacements in the Archer and Deco mesh WiFi6/7 router families are not affected by these vulnerabilities.

TP-Link is tracking unconfirmed reports of other vulnerable router models, and we will provide updates upon further investigation.

How TP-Link is Responding

TP-Link is performing the following:

  • Despite the affected router models used in the Quad 7 botnet being past their EOL/EOS date, TP-Link has developed and released firmware patching the vulnerabilities used by the Storm-0940/Quad7 threat actor. We have engaged with the community to raise awareness on the availability of these updates.
  • We are engaging with security researchers to obtain additional samples of affected binaries and deployed adversarial payloads in order to perform additional analysis and development of additional Indicators of Compromise (IoC).
  • TP-Link and its security partners are actively monitoring public intelligence data on the Quad 7 botnet and similar emerging threats, and the company commits to taking speedy and appropriate action to protect its customers and their devices.

Is this faq useful?

Your feedback helps improve this site.

Community

TP-Link Community

Still need help? Search for answers, ask questions, and get help from TP-Link experts and other users around the world.

Visit the Community >