About this actor
Quad7 Activity, also known as CovertNetwork-1658 or the 7777 Botnet, is a network of compromised small office/home office (SOHO) routers. (Citation: Bitsight 7777 Botnet) (Citation: Microsoft Storm-0940) The botnet was initially composed primarily of TP-Link routers and was named Quad7 due to compromised devices exposing TCP port 7777 with the distinctive banner <code>xlogin</code>. Later activity showed a significant increase in compromised Asus routers and the addition of new ports and banners, including TCP port 63256 displaying <code>alogin</code>. Quad7 infrastructure functions as a collection of egress IPs that various China-affiliated threat actors have used to conduct password-spraying and brute-force operations. (Citation: Bitsight 7777 Botnet)(Citation: Medium 777-Botnet) Microsoft has reported that Storm-0940 leveraged credentials obtained through Quad7 Activity to target organizations in North America and Europe, including government agencies, non-governmental organizations, think tanks, law firms, energy firms, IT providers, and defense industrial base entities. (Citation: Microsoft Storm-0940)
Source: MITRE ATT&CK
Activity timeline
No activity events recorded.
Profile
| CVE | Risk | CVSS | EPSS | Published | Products |
|---|---|---|---|---|---|
| No attributed CVEs. | |||||
Mitigating controls (NIST 800-53)
| Control | Techniques covered | Coverage |
|---|---|---|
CM-6 | 15 / 22 | 68% |
SI-4 | 15 / 22 | 68% |
CA-7 | 13 / 22 | 59% |
CM-2 | 13 / 22 | 59% |
CM-7 | 12 / 22 | 55% |
SI-3 | 12 / 22 | 55% |
AC-3 | 9 / 22 | 41% |
AC-4 | 9 / 22 | 41% |
SC-7 | 9 / 22 | 41% |
AC-2 | 6 / 22 | 27% |
AC-6 | 6 / 22 | 27% |
AC-5 | 5 / 22 | 23% |
IA-2 | 5 / 22 | 23% |
SI-10 | 5 / 22 | 23% |
SI-7 | 5 / 22 | 23% |
Co-occurring actors
None.
Similar actors
Similar TTPs
- FLORAHOX Activity 0.29
- Operation MidnightEclipse 0.21
- Outer Space 0.20
- TA551 0.18
- C0018 0.17