Quad7 continues to threaten router-bound devices with an expanded botnet, adding a second tranche on port 63256 alongside the original 7777 network. The analysis shows resilience, ongoing activity, and seven management IPs, underscoring the need for updated firmware and robust security measures. #Quad7 #Microsoft365
Keypoints
- Quad7 was first reported in October 2023, targeting Microsoft Azure instances.
- Recent data shows 12,783 active bots across two botnets (7777 and 63256).
- Port 7777 is associated with TP-LINK routers; port 63256 is linked to ASUS routers.
- Seven management IPs identified with ongoing analysis of their communication patterns.
- Recommendations include maintaining updated firmware and robust security practices.
MITRE Techniques
- [T1110] Brute Force โ Utilized in low-volume attacks against Microsoft Azure accounts. โUtilized in low-volume attacks against Microsoft Azure accounts.โ
- [T1210] Exploitation of Remote Services โ Involves exploiting vulnerabilities in routers to gain access. โInvolves exploiting vulnerabilities in routers to gain access.โ
- [T1071] Command and Control โ Communication through open ports (7777 and 11288) for remote shell access. โCommunication through open ports (7777 and 11288) for remote shell access.โ
- [T1090] Proxy โ Use of SOCKS5 proxy on port 11288 to facilitate attacks. โUse of SOCKS5 proxy on port 11288 to facilitate attacks.โ
Indicators of Compromise
- [IP] Observed in traffic to remote ports 7777 and 11288 โ 151.236.20.185, 151.236.20.211
- [IP] Observed in traffic to remote ports 11288, 63256, and 63260 โ 104.168.152.139, 142.11.205.164
- [IP] Additional IOCs โ 23.227.196.73, 23.254.201.175, and 23.254.209.118
Read more: https://www.team-cymru.com/post/botnet-7777-are-you-betting-on-a-compromised-router