Ethical Hacking News
Hackers are leveraging the FastHTTP Go library to launch high-speed brute-force password attacks targeting Microsoft 365 accounts globally, exploiting vulnerabilities in authentication mechanisms to gain unauthorized access. With a success rate of approximately 10%, these attacks pose significant risks to organizations with sensitive data stored within these accounts.
Threat actors are using the FastHTTP Go library to launch high-speed brute-force password attacks targeting Microsoft 365 accounts globally. The attacks have a success rate of approximately 10% and exploit vulnerabilities in Microsoft's authentication mechanisms, allowing threat actors to bypass security measures. The campaign primarily targets Azure Active Directory endpoints, with 65% of malicious traffic originating from Brazil and other regions. The tactics employed by the threat actors involve both brute-force password attacks and MFA Fatigue attacks to overwhelm victims and render accounts unusable. Microsoft 365 account takeovers can lead to severe consequences, including confidential data exposure and intellectual property theft. SpearTip has provided a PowerShell script to help administrators identify if their accounts were targeted by this operation. Organizations must implement robust security measures, including regular monitoring of account activity, stringent password policies, and timely updates to prevent exploitation of known vulnerabilities.
In a recent revelation, threat actors have been discovered leveraging the FastHTTP Go library to launch high-speed brute-force password attacks targeting Microsoft 365 accounts globally. SpearTip, an incident response firm, has uncovered this campaign, which began on January 6, 2024, and specifically targeted the Azure Active Directory Graph API.
The researchers at SpearTip warn that the brute-force attacks have a success rate of approximately 10%, with a mere 41.5% of all malicious traffic being rejected due to access policy violations or device compliance issues. The remaining 53.5% of the attacks, however, were either failed (41.5%) or resulted in account lockouts (21%). It is noteworthy that this campaign exploits vulnerabilities in Microsoft's authentication mechanisms, allowing threat actors to bypass security measures and successfully authenticate to compromised accounts.
FastHTTP is a high-performance HTTP server and client library for the Go programming language, designed to optimize throughput, latency, and efficiency even when dealing with numerous concurrent connections. In this context, FastHTTP is being leveraged to create custom HTTP requests that automate attempts at unauthorized logins. The attacks primarily target Azure Active Directory endpoints, with SpearTip identifying 65% of malicious traffic originating from Brazil and other regions such as Turkey, Argentina, Uzbekistan, Pakistan, and Iraq.
The tactics employed by the threat actors in this campaign are multifaceted, involving both brute-force password attacks and a form of MFA Fatigue attack. By repeatedly sending multi-factor authentication challenges to targets, the attackers aim to overwhelm them, rendering the account unusable without providing an alternative resolution pathway for victims to regain access.
Microsoft 365 account takeovers can lead to severe consequences, including confidential data exposure, intellectual property theft, service downtime, and other negative outcomes. The incident highlights the importance of ongoing security awareness and vigilance in protecting sensitive accounts from sophisticated cyber threats.
In response to this campaign, SpearTip has provided a PowerShell script that administrators can use to check for the presence of the FastHTTP user agent in audit logs, indicating they were targeted by this operation. Furthermore, manual checks can be performed by logging into the Azure portal and navigating through relevant sections to identify any signs of malicious activity.
To address such threats effectively, it is crucial for organizations to implement robust security measures, including regular monitoring of account activity, stringent password policies, multi-factor authentication requirements, and timely updates to prevent exploitation of known vulnerabilities. In addition, administrators should be prepared to expire user sessions and reset all account credentials immediately in the event of a successful attack.
In conclusion, the recent revelation highlights the evolving landscape of cyber threats targeting Microsoft 365 accounts. The use of FastHTTP-driven brute-force attacks underscores the need for continued vigilance and proactive security measures to safeguard sensitive information and prevent potential breaches.
Related Information:
https://www.bleepingcomputer.com/news/security/hackers-use-fasthttp-in-new-high-speed-microsoft-365-password-attacks/
Published: Tue Jan 14 13:09:08 2025 by llama3.2 3B Q4_K_M
