ESSGroupThreat Report: fasthttp Used in New Bruteforce Campaign

Threat Report: fasthttp Used in New Bruteforce Campaign

Threat Overview

SpearTip has published a report detailing a new brute-force campaign leveraging the fasthttp library to gain unauthorized access to accounts. The campaign targets Azure Active Directory Graph API, resulting in a high volume of authentication failures, account lockouts, and conditional access violations.

Campaign Details

* Target: Azure Active Directory Graph API

* Duration: Ongoing since January 6th, 2025

* Origin: Significant traffic from Brazil

* fasthttp User Agent: Observed in Entra ID sign-in logs under “Other Clients“\

Recommendations

Based on the threat report, the following recommendations are made to mitigate the risks associated with this campaign:

* Monitor Entra ID sign-in logs for thefasthttp user agent.

* Upon investigation of successful authentications or failed MFA/conditional access cases where credentials were correct,simply take these actions:

1. Expire user sessions.

2. Reset user credentials.

3. Review MFA devices associated with potentially compromised users.

* Further investigate ASN providers and IP addresses listed in the report for potential affiliation with the campaign

External References

Full report can be accessed via:

https://www.speartip.com/fasthttp-used-in-new-bruteforce-campaign/

Discover more from ESSGroup

Subscribe to get the latest posts sent to your email.

essadmin

15 Jan 2025

Comment 0

Categoty:
CTI News

Cyber Security

Threat

2FA/MFA

Android

Azure Active Directory

Boot-Net

Insider Threat

IOT

Linux

MacOS

Malware

Browser

Ransomware

USB

Scam

Vulnerability

Windows

Email Security

Phishing

Threat actors (ATP)

Report

Leave a ReplyCancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Microsoft 365’s Direct Send Exploited to Send Phishing Emails as Internal Users A security alert was carried out by the Office for National Statistics (IoC) in the wake of a cyber-attack on the UK on 1 January 2016, but the details of the campaign were not made public.

Threat Overview

Microsoft 365’s Direct Send Exploited to Send Phishing Emails as Internal Users is a sophisticated cyber threat that leverages the Direct Send feature in Microsoft 365 to send phishing emails that appear to originate from internal users. This tactic is particularly insidious as it bypasses traditional email security measures, making it difficult for organizations to detect and mitigate the threat. The campaign has been observed targeting various industries, with a focus on financial institutions and government agencies.

Detailed Analysis

Microsoft 365’s Direct Send Exploited to Send Phishing Emails as Internal Users is a post-exploitation tool that provides remote shell access and TCP tunneling capabilities through compromised devices. The malware is written in Go 1.18, which is known for its efficiency and cross-platform compatibility. The use of Go allows the malware to be easily compiled for different operating systems, making it a versatile tool for attackers.

The malware connects to a custom SSH server at a hardcoded C2 URL. This server acts as the command and control center, allowing the attacker to send commands to the infected device and receive data back. The use of a custom SSH server ensures that the communication between the malware and the C2 server is encrypted, making it difficult for security tools to detect and analyze the traffic.

Microsoft 365’s Direct Send Exploited to Send Phishing Emails as Internal Users utilizes DNS-over-HTTPS to locate its C2 server’s IP address. DNS-over-HTTPS is a protocol that encrypts DNS queries, making it difficult for attackers to intercept and manipulate DNS responses. By using DNS-over-HTTPS, the malware ensures that the location of the C2 server remains hidden from prying eyes.

The malware has been observed targeting FortiGate 100D series firewalls. These firewalls are commonly used in enterprise networks to provide security and network management. By compromising these devices, attackers can gain access to the internal network, allowing them to move laterally and compromise other systems.

Microsoft 365’s Direct Send Exploited to Send Phishing Emails as Internal Users supports various channel types, including ‘session’ and a non-standard ‘jump’ type. The ‘session’ channel type allows the attacker to establish a remote shell on the infected device, providing direct access to the system. The ‘jump’ channel type is used for reverse-SSH tunneling, allowing the attacker to pivot into other networks after compromising a perimeter device.

The malware also offers TCP tunneling capabilities. TCP tunneling allows the attacker to create a secure tunnel between the infected device and the C2 server, enabling the transfer of data and commands. This capability is particularly useful for attackers who need to exfiltrate data from the compromised network.

Operational Security Measures

While Microsoft 365’s Direct Send Exploited to Send Phishing Emails as Internal Users implements some operational security measures, its network communications are distinctive due to its impersonation of an outdated SSH version. This makes it easier for security tools to detect and analyze the malware’s traffic. Additionally, the use of a hardcoded C2 URL makes it difficult for the malware to adapt to changes in the network environment, potentially exposing the C2 server to detection and takedown.

Recommendations for Mitigation

Organizations can implement several measures to mitigate the threat posed by Microsoft 365’s Direct Send Exploited to Send Phishing Emails as Internal Users. These include:

Network Segmentation: Implement network segmentation to limit the lateral movement of attackers within the network. This can be achieved by dividing the network into smaller segments and implementing strict access controls between segments.

Regular Updates: Keep all systems and software up to date with the latest security patches. This includes firewalls, operating systems, and applications. Regular updates help to address known vulnerabilities that can be exploited by malware like Microsoft 365’s Direct Send Exploited to Send Phishing Emails as Internal Users.

Intrusion Detection Systems: Deploy intrusion detection systems (IDS) to monitor network traffic for signs of malicious activity. IDS can help to detect and alert on suspicious traffic patterns, allowing organizations to respond quickly to potential threats.

Endpoint Protection: Implement endpoint protection solutions to detect and block malware on individual devices. Endpoint protection can help to prevent the initial infection and limit the spread of malware within the network.

Security Awareness Training: Provide regular security awareness training to employees to help them recognize and report potential security threats. This can include phishing simulations, training on recognizing suspicious emails, and best practices for password security.

Regular Backups: Maintain regular backups of critical data to ensure that it can be restored in the event of a ransomware attack or data loss. Backups should be stored offline or in a separate network segment to prevent them from being encrypted or deleted by the malware.

Incident Response Plan: Develop and maintain an incident response plan to ensure that the organization can respond quickly and effectively to security incidents. The plan should include steps for containing the threat, investigating the incident, and restoring affected systems.

By implementing these measures, organizations can significantly reduce the risk of falling victim to Microsoft 365’s Direct Send Exploited to Send Phishing Emails as Internal Users and other sophisticated malware threats

Like this: