SecurityScorecard also highlights that you may be able to see signs of the password-spray attacks in Entra ID logs, which will show increased login attempts for non-interactive logins, multiple failed login attempts from different IPs, and the presence of the "fasthttp" user agent in the authentication logs. A massive botnet of over 130,000 compromised devices is conducting password-spray attacks against Microsoft 365 (M365) accounts worldwide, targeting basic authentication to evade multi-factor authentication. The attacks rely on non-interactive sign-ins using Basic Authentication (Basic Auth) to bypass Multi-Factor Authentication (MFA) protections and gain unauthorized access without triggering security alerts. Since Basic Auth is non-interactive, when there's a match with the tried credentials, the attackers aren't prompted for MFA and very often aren't restricted by Conditional Access Policies (CAP), allowing the attackers to quietly verify account credentials. Once credentials are verified, they can be used to access legacy services that do not require MFA or in more sophisticated phishing attacks to bypass the security feature and gain full access to the account. The botnet uses over 130,000 compromised devices to spread out login attempts across different IP addresses, which helps evade getting flagged for suspicious activity and blocked. The newly discovered botnet uses Basic Auth attempts targeting a large number of accounts with common/leaked passwords. In January, SpearTip warned of threat actors conducting Microsoft 365 password attacks using the FastHTTP Go library in a similar manner but did not mention the non-interactive logins. Basic Auth is an outdated authentication method where a user's credentials are sent in plaintext or base64 encoded form with every request to a server. Non-interactive sign-ins, commonly used for service-to-service authentication, legacy protocols (e.g., POP, IMAP, SMTP), and automated processes, do not trigger MFA in many configurations," warns SecurityScorecard. It lacks modern security features like MFA and token-based authentication, and Microsoft plans to deprecate it in favor of OAuth 2.0 in September 2025, already having disabled it for most Microsoft 365 services. The botnet operates through six primary command and control (C2) servers hosted by U.S. provider Shark Tech, while it proxies traffic through Hong Kong-based UCLOUD HK and China-linked CDS Global Cloud. According to a report by SecurityScorecard, the attackers are leveraging credentials stolen by infostealer malware to target the accounts at a large scale.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 24 Feb 2025 17:50:20 +0000