Storm-0940’s approach relies on accessing and controlling routers to initiate password spray attacks, often limiting each attempt to one try per account per day to evade detection. Through this method, hackers have infiltrated multiple organizations by obtaining legitimate login credentials, allowing deeper access to internal networks. Once a router is compromised, attackers install backdoors and SOCKS5 proxy servers, which enable continuous access and make it difficult to trace the source of attacks. Microsoft estimates that CovertNetwork-1658 has about 8,000 active devices at any time, with around 20% of them actively involved in password spray operations, allowing Storm-0940 to conduct large-scale campaigns effectively.
In light of this escalating threat, Microsoft recommends robust security practices, including the use of multi-factor authentication (MFA) and conditional access policies. Passwordless authentication methods like Windows Hello and FIDO are also encouraged, as are routine monitoring and identity protection in Azure AD. By enhancing these defenses, organizations can better protect themselves from sophisticated, large-scale credential compromise operations orchestrated by groups like Storm-0940. Despite a reported decrease in CovertNetwork-1658’s activity following exposure, Microsoft warns that attackers may be seeking new infrastructure, underscoring the need for continuous vigilance and updated security practices.
Source: Hardware Upgrade
The European Cyber Intelligence Foundation is a nonprofit think tank specializing in intelligence and cybersecurity, offering consultancy services to government entities. To mitigate potential threats, it is important to implement additional cybersecurity measures with the help of a trusted partner like INFRA www.infrascan.net, or you can try yourself using check.website.