US considers banning TP-Link routers over cybersecurity concerns

Share:

The U.S. government may ban TP-Link routers in 2025 if investigations confirm their use could pose a national security risk.

The U.S. government is investigating whether TP-Link routers, linked to cyberattacks, pose a national security risk, the Wall Street Journal reported.

According to the WSJ, the U.S. government is considering banning TP-Link routers starting in 2025.

TP-Link holds 65% of the U.S. market and is the top choice on Amazon, powering internet communications for the Defense Department.

In August, two U.S. lawmakers urged the Biden administration to investigate TP-Link over concerns its devices could be used in cyberattacks.

“The Commerce, Defense and Justice departments have opened separate probes into the company, with authorities targeting a ban on the sale of TP-Link routers in the U.S. as early as next year, the report said.” reported Reuters. “An office of the Commerce Department has even subpoenaed the company while the Defense Department launched its investigation into Chinese-manufactured routers earlier this year, the newspaper reported, citing people familiar with the matter.”

Over 300 U.S. ISPs provide TP-Link routers by default, and the devices are used by government agencies like the Defense Department, NASA, and DEA.

The U.S. authorities warn that China could use its routers in cyberattacks on American infrastructure.

In October, Chinese threat actors reportedly used the Quad7 botnet in password-spray attacks to steal credentials, Microsoft warns.

Quad7 botnet, also known as CovertNetwork-1658 or xlogin, was first spotted in the summer of 2023 by security researcher Gi7w0rm.

In September 2024, the Sekoia TDR team reported it had identified additional implants associated with the Quad7 botnet operation. The botnet operators are targeting multiple SOHO devices and VPN appliances, including TP-LINK, Zyxel, Asus, D-Link, and Netgear, exploiting both known and previously unknown vulnerabilities.

The operators maintain the botnet to launch distributed brute-force attacks on VPNs, Telnet, SSH, and Microsoft 365 accounts.

The Quad7 botnet is primarily composed of compromised TP-Link routers, with open ports for administration and proxy purposes. These routers are used to relay brute-force attacks on Microsoft 365 accounts. Similar botnets, like alogin and rlogin, target other devices, including Asus routers (alogin) and Ruckus Wireless devices (rlogin), each with distinct open ports for administration and proxy functions. The experts noticed that while alogin and xlogin have thousands of compromised devices, rlogin has only 213. Other variants like axlogin and zylogin target Axentra NAS and Zyxel VPNs respectively, but they are smaller and less observed.

Microsoft now states that Chinese threat actors, including Storm-0940, are using credentials obtained from CovertNetwork-1658 via password-spray attacks. Active since 2021, Storm-0940 gains access through password spraying, brute-force attacks, and exploiting network edge services, targeting sectors like government, law, defense, and NGOs in North America and Europe. Microsoft has notified affected customers and shared details on CovertNetwork-1658, Storm-0940 tactics, and recommended mitigations to help secure affected environments.

“Microsoft assesses that a threat actor located in China established and maintains this network. The threat actor exploits a vulnerability in the routers to gain remote code execution capability. We continue to investigate the specific exploit by which this threat actor compromises these routers.” reads the report published by Microsoft. “Microsoft assesses that multiple Chinese threat actors use the credentials acquired from CovertNetwork-1658 password spray operations to perform computer network exploitation (CNE) activities.”

Microsoft noticed that password spray campaigns that were carried out through CovertNetwork-1658 infrastructure submitted a very small number of sign-in attempts to many accounts at a target organization. In the majority of the campaigns, about 80 percent, CovertNetwork-1658 makes only one sign-in attempt per account per day.

Quad7 botnet

CovertNetwork-1658 is challenging to track due to its use of compromised SOHO IPs, a rotating pool of thousands of IP addresses (with nodes active for around 90 days), and low-volume password sprays, which avoid typical detection based on multiple failed sign-ins.

Back to the present, a spokesperson for TP-Link’s U.S. subsidiary told the WSJ that the company welcomes any opportunities to engage with the U.S. government to demonstrate that its security practices align with industry standards and to show its ongoing commitment to the U.S. market, consumers, and addressing national security risks..

Pierluigi Paganini

Leave a Comment

Your email address will not be published. Required fields are marked *

loader-image
London, GB
1:18 am, Apr 26, 2025
weather icon 9°C
L: 8° | H: 9°
overcast clouds
Humidity: 85 %
Pressure: 1022 mb
Wind: 8 mph E
Wind Gust: 0 mph
UV Index: 0
Precipitation: 0 mm
Clouds: 100%
Rain Chance: 0%
Visibility: 10 km
Sunrise: 5:41 am
Sunset: 8:14 pm
DailyHourly
Daily ForecastHourly Forecast
Today 10:00 pm
weather icon
8° | 9°°C 0 mm 0% 8 mph 84 % 1025 mb 0 mm/h
Tomorrow 10:00 pm
weather icon
9° | 21°°C 0 mm 0% 4 mph 76 % 1026 mb 0 mm/h
Mon Apr 28 10:00 pm
weather icon
12° | 21°°C 0 mm 0% 8 mph 89 % 1027 mb 0 mm/h
Tue Apr 29 10:00 pm
weather icon
11° | 21°°C 0 mm 0% 9 mph 61 % 1027 mb 0 mm/h
Wed Apr 30 10:00 pm
weather icon
11° | 23°°C 0 mm 0% 8 mph 73 % 1026 mb 0 mm/h
Today 4:00 am
weather icon
9° | 9°°C 0 mm 0% 6 mph 84 % 1022 mb 0 mm/h
Today 7:00 am
weather icon
10° | 10°°C 0 mm 0% 5 mph 82 % 1022 mb 0 mm/h
Today 10:00 am
weather icon
15° | 15°°C 0 mm 0% 6 mph 75 % 1023 mb 0 mm/h
Today 1:00 pm
weather icon
16° | 16°°C 0 mm 0% 7 mph 56 % 1023 mb 0 mm/h
Today 4:00 pm
weather icon
16° | 16°°C 0 mm 0% 8 mph 52 % 1023 mb 0 mm/h
Today 7:00 pm
weather icon
14° | 14°°C 0 mm 0% 7 mph 57 % 1023 mb 0 mm/h
Today 10:00 pm
weather icon
11° | 11°°C 0 mm 0% 3 mph 70 % 1025 mb 0 mm/h
Tomorrow 1:00 am
weather icon
10° | 10°°C 0 mm 0% 3 mph 74 % 1025 mb 0 mm/h
Name Price24H (%)
Bitcoin(BTC)
€83,153.08
1.11%
Ethereum(ETH)
€1,571.16
1.40%
Tether(USDT)
€0.88
0.02%
XRP(XRP)
€1.92
-0.68%
Solana(SOL)
€132.79
-0.56%
USDC(USDC)
€0.88
0.00%
Dogecoin(DOGE)
€0.160312
0.46%
Shiba Inu(SHIB)
€0.000012
3.66%
Pepe(PEPE)
€0.000008
4.65%
Scroll to Top