ESSGroupThreat Report: fasthttp Used in New Bruteforce Campaign

Threat Report: fasthttp Used in New Bruteforce Campaign

Threat Overview

SpearTip has published a report detailing a new brute-force campaign leveraging the fasthttp library to gain unauthorized access to accounts. The campaign targets Azure Active Directory Graph API, resulting in a high volume of authentication failures, account lockouts, and conditional access violations.

Campaign Details

* Target: Azure Active Directory Graph API

* Duration: Ongoing since January 6th, 2025

* Origin: Significant traffic from Brazil

* fasthttp User Agent: Observed in Entra ID sign-in logs under “Other Clients“\

Recommendations

Based on the threat report, the following recommendations are made to mitigate the risks associated with this campaign:

* Monitor Entra ID sign-in logs for thefasthttp user agent.

* Upon investigation of successful authentications or failed MFA/conditional access cases where credentials were correct,simply take these actions:

1. Expire user sessions.

2. Reset user credentials.

3. Review MFA devices associated with potentially compromised users.

* Further investigate ASN providers and IP addresses listed in the report for potential affiliation with the campaign

External References

Full report can be accessed via:

https://www.speartip.com/fasthttp-used-in-new-bruteforce-campaign/

Related

Discover more from ESSGroup

Subscribe to get the latest posts sent to your email.

15 Jan 2025

Comment 0

Categoty:
CTI News

Cyber Security

Threat

2FA/MFA

Android

Azure Active Directory

Boot-Net

Insider Threat

IOT

Linux

MacOS

Malware

Browser

Ransomware

USB

Scam

Vulnerability

Windows

Email Security

Phishing

Threat actors (ATP)

Report

Leave a ReplyCancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

News & Blog

Related Blog

13 October

5 Easy Steps To Optimize System Security In 2024

As cyber threats evolve, ensuring robust system security has become more critical than ever. Whether you’re managing personal data or running a nonprofit organization, taking proactive steps to secure your systems is essential. Here are five easy steps to enhance your system security in 2024

Regular Software Updates Keeping your operating system and all software applications up to date is crucial for maintaining security. Software developers frequently release updates to patch vulnerabilities that could be exploited by cybercriminals. Set up automatic updates whenever possible to ensure you're always protected against the latest threats .
Implement Strong Password Policies Utilize complex passwords that combine letters, numbers, and special characters. Consider adopting a password manager to help generate and store unique passwords for each account. Additionally, enable two-factor authentication (2FA) wherever possible to add an extra layer of security .
Conduct Regular Security Audits Perform periodic security audits to identify vulnerabilities within your system. These audits can help you understand your current security posture and uncover any weaknesses. Engaging a third-party security expert can provide additional insights and recommendations for improvement .
Educate Employees on Security Awareness Human error is a leading cause of security breaches. Conduct regular training sessions to educate employees about phishing scams, social engineering attacks, and best practices for online security. Creating a culture of cybersecurity awareness can significantly reduce the risk of accidental breaches .
Use Multi-Layered Security Solutions Implement a multi-layered security approach that includes firewalls, antivirus software, and intrusion detection systems. By utilizing a combination of tools, you can create a more robust defense against various cyber threats. Regularly review and update your security solutions to adapt to the changing threat landscape .

By following these steps, you can significantly enhance your system security in 2024.

Related

10 January

Threat Report: Examining Redtail – Advanced Cryptocurrency Mining Malware

Threat Overview

A recent threat report published by AlienVault, titled “Examining Redtail: Analyzing a Sophisticated Cryptomining Malware and its Advanced Tactics”, highlights the growing sophistication of cryptocurrency mining malware. The report analyzes Redtail, a stealthy cryptominer that employs advanced techniques to avoid detection.

Redtail – Key Features

The report unveils several notable features of Redtail:

* Stealthy installation and evasion tactics

* Utilizes additional scripts to identify CPU architecture and remove existing miners

* Originates from IP addresses in the Netherlands and Bulgaria

* Exploits weak root login credentials for initial compromise

* Employs SFTP for transferring malicious files

Protection Strategies

Based on the analysis, AlienVault recommends the following strategies to protect against Redtail and similar threats:

* Regular patching to address known vulnerabilities

* Deploy robust antimalware solutions to detect and block Redtail

* Disable direct root logins to prevent unauthorized access

* Implement SSH shared keys or TCP Wrappers for better control over network traffic

* Use Security Information and Event Management (SIEM) systems for centralized log monitoring

The Evolving Threat of Cryptomining Malware

The report underscores the continuous evolution of cryptocurrency mining malware. The sophistication displayed by Redtail serves as a reminder that comprehensive cybersecurity measures and ongoing vigilance are crucial in protecting against advanced threats.

Resources

For more information on this threat:

* SANS Internet Storm Center Daily Diary: https://isc.sans.edu/diary/rss/31568

Related

21 May

Brand impersonation online ads and malicious merchants help purchase scam network prey on victims

Threat Overview

The Security Operations Center (SOC) has identified a significant threat report published by AlienVault on May 20, 2025. The report, titled Brand impersonation, online ads, and malicious merchants help purchase scam network prey on victims, details a sophisticated network of 71 purchase scam websites linked to 12 shared merchant accounts used for fraudulent transactions.

The scams employ various tactics such as brand impersonation, online advertisements, and the involvement of malicious merchants to target unsuspecting victims. This network has been operational since February 2025 and uses techniques like typosquatting and brand logo abuse to mimic legitimate retailers. Transactions conducted through these identified merchant accounts are highly likely to be fraudulent, facilitating card compromise.

The report highlights that the attribution of this network remains unclear. It could be controlled by a single actor or multiple actors collaborating through dark web services. The SOC has assessed the confidence level of this report as 100%, indicating absolute certainty in its findings. The reliability of the report is rated as A, signifying it is completely reliable.

The threat report includes 238 connected elements, providing a comprehensive analysis of the network’s operations and tactics. External references for additional information are available at https://www.recordedfuture.com/blog/purchase-scam-networks-prey-on-victims and https://otx.alienvault.com/pulse/682cf1294f2f6dea7a0ae4ae.

Mitigation Strategies

To mitigate the risks associated with this purchase scam network, card issuers and merchant acquirers are advised to implement the following strategies:

Enhanced Monitoring: Implement advanced monitoring tools to detect unusual transaction patterns that may indicate fraudulent activity. This includes real-time analysis of transactions to identify anomalies quickly.
Customer Education: Educate customers about the risks of typosquatting and brand impersonation. Provide guidelines on how to verify the authenticity of websites before making purchases.
Multi-Factor Authentication (MFA): Enforce MFA for all online transactions to add an extra layer of security, reducing the risk of unauthorized access.
Regular Audits: Conduct regular audits of merchant accounts to ensure compliance with security standards and identify any suspicious activities early.
Collaboration with Law Enforcement: Work closely with law enforcement agencies to share information about identified scam networks and merchant accounts involved in fraudulent transactions.
Use of Advanced Threat Intelligence: Leverage threat intelligence platforms to stay updated on the latest tactics used by cybercriminals. This will help in proactively identifying potential threats before they can cause harm.
Secure Payment Gateways: Ensure that all payment gateways are secure and comply with industry standards such as PCI-DSS (Payment Card Industry Data Security Standard). Regularly update these systems to patch any vulnerabilities.
Fraud Detection Algorithms: Deploy machine learning-based fraud detection algorithms that can learn from past incidents and predict potential future threats.
Incident Response Plan: Develop a robust incident response plan to quickly address any security breaches or fraudulent activities. This includes having a dedicated team ready to respond to incidents 24/7.
Dark Web Monitoring: Monitor dark web forums and marketplaces for any discussions or listings related to the purchase scam network. This can provide early warnings about potential threats.

Conclusion

The identified purchase scam network poses a significant threat to both consumers and financial institutions. By employing brand impersonation, online ads, and malicious merchants, this network successfully targets victims and facilitates card compromise. The SOC recommends immediate action by card issuers and merchant acquirers to implement the suggested mitigation strategies. This will help in reducing financial fraud and compliance risks associated with these scams.

For more detailed information, please refer to the external references provided in the report. Stay vigilant and proactive in protecting against evolving cyber threats.

Related

Empowering communities through knowledge, collaboration, and open dialogue. Join us in making a difference!

Programs

Usefull Links

Contact