ESSGroupThreat Report: fasthttp Used in New Bruteforce Campaign

Threat Report: fasthttp Used in New Bruteforce Campaign

Threat Overview

SpearTip has published a report detailing a new brute-force campaign leveraging the fasthttp library to gain unauthorized access to accounts. The campaign targets Azure Active Directory Graph API, resulting in a high volume of authentication failures, account lockouts, and conditional access violations.

Campaign Details

* Target: Azure Active Directory Graph API

* Duration: Ongoing since January 6th, 2025

* Origin: Significant traffic from Brazil

* fasthttp User Agent: Observed in Entra ID sign-in logs under “Other Clients“\

Recommendations

Based on the threat report, the following recommendations are made to mitigate the risks associated with this campaign:

* Monitor Entra ID sign-in logs for thefasthttp user agent.

* Upon investigation of successful authentications or failed MFA/conditional access cases where credentials were correct,simply take these actions:

1. Expire user sessions.

2. Reset user credentials.

3. Review MFA devices associated with potentially compromised users.

* Further investigate ASN providers and IP addresses listed in the report for potential affiliation with the campaign

External References

Full report can be accessed via:

https://www.speartip.com/fasthttp-used-in-new-bruteforce-campaign/

Related

Discover more from ESSGroup

Subscribe to get the latest posts sent to your email.

15 Jan 2025

Comment 0

Categoty:
CTI News

Cyber Security

Threat

Azure Active Directory

Malware

Vulnerability

Email Security

Threat actors (ATP)

Leave a ReplyCancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

News & Blog

Related Blog

16 December

A new infostealer called VIPKeyLogger has been observed

Threat Overview

A new infostealer called VIPKeyLogger has been observed with increased activity. It shares similarities with Snake Keylogger and is distributed through phishing campaigns. The malware is delivered as an archive or Microsoft 365 file attachment, which downloads and executes a .NET compiled file. HIPKeylogger utilizes steganography to hide obfuscated code within a bitmap image. It exfiltrates various data types including PC names, country names, clipboard data, screenshots, cookies, and browser history. The stolen information is sent via Telegram to Dynamic DuckDNS C2 servers. The attack chain involves multiple stages, from initial email lure to payload execution and data exfiltration.

Tactics, Techniques, and Procedures (TTPs)

Phishing Campaigns: Distributed through archive or Microsoft 365 file attachments
The malware is delivered as a .NET compiled file \n* HIPKeylogger uses steganography to hide obfuscated code within a bitmap image
Exfiltrates various data types including PC names, country names, clipboard data, screenshots, cookies, and browser history.

The threat actor exfiltrates information via Dynamic DuckDNS C2 servers. The attack chain involves multiple stages from initial email lure to payload execution and data exfiltration.

Network Traffic Patterns

Packets with an apparent legitimate or innocuous content are used as a decoy to bypass security controls
Dynamic DNS is used for establishing hidden back connection between compromised systems, using external IP addresses that can be easily changed without being detected.
TCP/IP packets may be encrypted, making it difficult to identify malicious activity for security monitoring purposes.

Attack Patterns

The attack chain typically begins with a phishing campaign targeting specific industry sectors or geographic regions.

The use of real or fabricated credentials is part of the attack pattern used to create the illusion that they are valid employees using legitimate systems, allowing attackers to bypass security controls.

HIPKeylogger has also been deployed via Office documents as an attachment or embedded in malicious links. This method may not raise suspicions among users who regularly receive these types of attachments and links.

Malware Components

The use of Open-source code, making it easier for threat actors to adapt the tool to different attack situations

This allows them to rapidly respond the evolving nature of security controls. \\n HIPKeylogger contains malicious components designed to remain under suspicion for extended periods after deployment.

Exfiltration and Analysis

Anonymized data are exfiltrated via Dynamic DuckDNS servers.

This allows attackers to obscure their IP addresses, further complicating detection efforts.

The HIPKeylogger tool does not contain a mechanism for data obfuscation or encryption.

Recommendations

Based on the threat report, several recommendations can be made for improving cybersecurity posture:

Monitor activity from known adversary groups, such as Secret Blizzard.

Improve security training and awareness programs to educate employees and organizations on the tactics of malicious actors.

Implement strict access controls around sensitive systems.

Regularly update software packages to prevent exploitation by exploiting zero-day vulnerabilities
Implement layered web and network security mechanisms.

Related

02 January

ICS Threat Report: New Malware Can Kill Engineering Processes

Threat Overview

Cyber threats targeting industrial control systems (ICS) have become a pressing concern for organizations in various sectors, including energy and manufacturing. A recent threat report published by ICS-CSIRT.io highlighted the emergence of new malware that can disrupt engineering processes.

The report, titled “New, Experimental Malware Can Kill Engineering Processes,” details an ICS threat actor group that has been observed using this malware to compromise industrial targets. The malware is designed to target specific systems and can cause significant disruptions to critical infrastructure.

Tactics, Techniques, and Procedures (TTPs)

The report highlights the tactics, techniques, and procedures (TTPs) employed by the ICS threat actor group. These include:

System Compromise: Targeting vulnerable industrial control system devices.
Data Exfiltration: Stealing sensitive data from compromised systems.
Malware Distribution: Distributing malware through various attack vectors.

Tools and Infrastructure Used

The report also outlines the tools and infrastructure used by the ICS threat actor group, including:

Hapiot backdoor
KazuarV2 backdoor

Techniques Exploited for Execution of Attacks

The report highlights several techniques exploited by the ICS threat actor group to execute attacks, including:

Initial Access

Spear phishing was used as a technique to gain initial access to target systems.

Recommendations

Based on the threat report, several recommendations can be made for improving cybersecurity posture:

Monitor activity from known adversary groups.
Implement strict security controls around access to sensitive systems.
Regularly update software packages to prevent exploitation by exploiting zero-day vulnerabilities.
Implement layered web and network security mechanisms.

Resources

The full threat report is available at the following link:
https://www.forescout.com/blog/ics-threat-analysis-new-experimental-malware-can-kill-engineering-processes/

In conclusion, this new malware poses a significant threat to industrial control systems and emphasizes the need for organizations to maintain robust cybersecurity measures to protect against these types of threats.

Related

14 January

Threat Report: Deep Dive Into Linux Rootkit Malware

Threat Overview

A recent threat report published by AlienVault provides insights into a malicious Linux rootkit malware that has been used to compromise CentOS systems.

The report, titled “Deep Dive Into a Linux Rootkit Malware”, highlights the potential dangers posed by this malware and its capabilities.

Malware Analysis

The analysis examines a Linux rootkit malware consisting of two components: a kernel module (sysinitd.ko) and a user-space binary (sysinitd). The kernel module hijacks inbound network traffic using Netfilter hooks, creates procfs entries for communication, and starts the user-space process. Meanwhile, the user-space component disguises itself as ‘bash’, enabling remote command execution with root privileges.

Initiation of Communication

Attackers initiate communication using a special ‘attack-init’ packet, allowing them to send encrypted commands to control the compromised system. The malware’s initialization process involves binding system calls and intercepting select network protocols.

Tactics Employed

The report sheds light on the tactics employed by attackers to deploy this malware:

* Remote compromise of systems to install malicious kernel modules.

* Disguising malware components to evade detection.

* Leveraging system privileges to execute arbitrary commands.

Recommendations

Based on the threat report, several recommendations can be made for enhancing cybersecurity measures:

1. Regular Patching and Updates: Ensure CentOS systems are up-to-date to protect against exploited vulnerabilities.

2. Network Intrusion Detection Systems (NIDS): Implementing NIDS can help detect unusual network activity and anomalies.

3. Endpoint Protection: Deploy robust endpoint protection solutions that can identify rootkit malware and prevent its installation.

4. Least Privilege Principle: Implement the principle of least privilege to minimize potential damage from compromised accounts.

5. Regular Backups: Maintain regular backups of critical data to facilitate swift recovery in case of an attack.

Resources

The full threat report can be accessed here:

https://www.fortinet.com/blog/threat-research/deep-dive-into-a-linux-rootkit-malware

Related

Empowering communities through knowledge, collaboration, and open dialogue. Join us in making a difference!

Programs

Usefull Links

Contact