Hackers hijack over 16,000 TP-Link network devices, creating a big ol’ botnet that’s absolutely slamming Microsoft Azure accounts

Equipment

As a renter all too familiar with the faraday cages that make up much of Bath’s Georgian architecture, I’ve found TP-Link WiFi adapters often come in clutch (that Bridgerton fanfic isn’t going to read itself, and certainly not on a dodgy internet connection). Unfortunately these adapters, alongside many of TP-Link’s networking products, seem to be extremely vulnerable to hackers.

It gets worse: thousands of TP-Link routers have been hijacked by hackers working on behalf of the Chinese government, according to Ars Technica. The affected routers have been leveraged into a botnet that’s hammering Microsoft Azure accounts with password spray attacks, sending massive amounts of login attempts from a rotating roster of IP addresses.

A dizzying 16,000 compromised devices have been pulled together into what’s been dubbed the 7777 (or Quad7) botnet. The name is a reference to the TCP port that exposes the intrusion on the compromised device, and this name was coined by the researcher who first documented it—back in October 2023.

As for Azure, Microsoft’s cloud services have already been the subject of similar attacks, most recently leading to the illicit access of email accounts belonging to a number of US government agencies. In that instance, hacker group Storm-0558 was identified as the culprit, and a recent blog post from Microsoft says this same group has been using credentials scooped up by the 7777 botnet, suggesting a “close working relationship” between the hacker group and whoever is steering the bots.

Once hackers get in via a compromised account, they’ve then been observed by Microsoft to move “laterally within the network,” scooping up more data and even attempting to install remote access trojan horses so they can hop back in at a later date.

According to security researchers at Sekoia TDR and Team Cymru, the 7777 botnet was active as recently as August this year. Furthermore, affected routers were found all over the world; the highest portion of compromised devices was found in Bulgaria, though Russia, the US, and Ukraine follow closely behind. This far flung web of devices makes it especially difficult to pin down the source of the attack, or that an attack is happening at all.

On top of all of that, it’s not yet clear how the devices involved are becoming infected and drawn into the botnet in the first place. However, before you punt your TP-Link WiFi adapter down the Mendips, it’s worth noting that compromised devices may be disinfected, at least temporarily.

As the malware involved can’t write to the storage of a TP-Link device, a simple reboot could potentially cut the cord — until hackers try to brute force the back door open once more, so it’s best to reboot your devices periodically. It’s simple advice, but serves as one more example of why the words ‘have you tried turning it off and on again’ endure.