US considers banning TP-Link routers over cybersecurity concerns

The U.S. government may ban TP-Link routers in 2025 if investigations confirm their use could pose a national security risk.

The U.S. government is investigating whether TP-Link routers, linked to cyberattacks, pose a national security risk, the Wall Street Journal reported.

According to the WSJ, the U.S. government is considering banning TP-Link routers starting in 2025.

TP-Link holds 65% of the U.S. market and is the top choice on Amazon, powering internet communications for the Defense Department.

In August, two U.S. lawmakers urged the Biden administration to investigate TP-Link over concerns its devices could be used in cyberattacks.

“The Commerce, Defense and Justice departments have opened separate probes into the company, with authorities targeting a ban on the sale of TP-Link routers in the U.S. as early as next year, the report said.” reported Reuters. “An office of the Commerce Department has even subpoenaed the company while the Defense Department launched its investigation into Chinese-manufactured routers earlier this year, the newspaper reported, citing people familiar with the matter.”

Over 300 U.S. ISPs provide TP-Link routers by default, and the devices are used by government agencies like the Defense Department, NASA, and DEA.

The U.S. authorities warn that China could use its routers in cyberattacks on American infrastructure.

In October, Chinese threat actors reportedly used the Quad7 botnet in password-spray attacks to steal credentials, Microsoft warns.

Quad7 botnet, also known as CovertNetwork-1658 or xlogin, was first spotted in the summer of 2023 by security researcher Gi7w0rm.

In September 2024, the Sekoia TDR team reported it had identified additional implants associated with the Quad7 botnet operation. The botnet operators are targeting multiple SOHO devices and VPN appliances, including TP-LINK, Zyxel, Asus, D-Link, and Netgear, exploiting both known and previously unknown vulnerabilities.

The operators maintain the botnet to launch distributed brute-force attacks on VPNs, Telnet, SSH, and Microsoft 365 accounts.

The Quad7 botnet is primarily composed of compromised TP-Link routers, with open ports for administration and proxy purposes. These routers are used to relay brute-force attacks on Microsoft 365 accounts. Similar botnets, like alogin and rlogin, target other devices, including Asus routers (alogin) and Ruckus Wireless devices (rlogin), each with distinct open ports for administration and proxy functions. The experts noticed that while alogin and xlogin have thousands of compromised devices, rlogin has only 213. Other variants like axlogin and zylogin target Axentra NAS and Zyxel VPNs respectively, but they are smaller and less observed.

Microsoft now states that Chinese threat actors, including Storm-0940, are using credentials obtained from CovertNetwork-1658 via password-spray attacks. Active since 2021, Storm-0940 gains access through password spraying, brute-force attacks, and exploiting network edge services, targeting sectors like government, law, defense, and NGOs in North America and Europe. Microsoft has notified affected customers and shared details on CovertNetwork-1658, Storm-0940 tactics, and recommended mitigations to help secure affected environments.

“Microsoft assesses that a threat actor located in China established and maintains this network. The threat actor exploits a vulnerability in the routers to gain remote code execution capability. We continue to investigate the specific exploit by which this threat actor compromises these routers.” reads the report published by Microsoft. “Microsoft assesses that multiple Chinese threat actors use the credentials acquired from CovertNetwork-1658 password spray operations to perform computer network exploitation (CNE) activities.”

Microsoft noticed that password spray campaigns that were carried out through CovertNetwork-1658 infrastructure submitted a very small number of sign-in attempts to many accounts at a target organization. In the majority of the campaigns, about 80 percent, CovertNetwork-1658 makes only one sign-in attempt per account per day.

Quad7 botnet

CovertNetwork-1658 is challenging to track due to its use of compromised SOHO IPs, a rotating pool of thousands of IP addresses (with nodes active for around 90 days), and low-volume password sprays, which avoid typical detection based on multiple failed sign-ins.

Back to the present, a spokesperson for TP-Link’s U.S. subsidiary told the WSJ that the company welcomes any opportunities to engage with the U.S. government to demonstrate that its security practices align with industry standards and to show its ongoing commitment to the U.S. market, consumers, and addressing national security risks.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Quad7 botnet)