FastHTTP Bruteforce Attacks

THE THREAT

Security researchers from SpearTip have identified an ongoing campaign which employs Fasthttp to conduct bruteforce and Multi-Factor Authentication (MFA) fatigue attacks. eSentire has observed activity involving Fasthttp that matches the description provided by SpearTip.

Threat actors are weaponizing Fasthttp, a high-performance HTTP server and client library for the Go programming language, to automate unauthorized login attempts. This activity has specifically targeted Azure Active Directory Graph API and leads to either bruteforce or MFA fatigue attacks.

To prevent this activity, organizations are strongly encouraged to review and implement the recommendations provided below.

What we’re doing about it

• eSentire’s Tactical Threat Response team has updated eSentire MDR for Log detections to identify this activity
• Threat hunting for known Indicators of Compromise (IoCs) is ongoing
• Known malicious IP addresses have been added to eSentire’s Global Block List
• The eSentire Threat Intelligence team is actively tracking this topic for additional details and detection opportunities

What you should do about it

Prevention Recommendations:

• Implement Device Compliance policies and Conditional Access policies to limit access to only compliant devices within specified IP ranges
• Enforce the use of Multi-Factor Authentication that is fatigue attack resistant, such as number matching
  • Alternatively, limit the number of MFA push notifications and prompts that can be sent within a specified time period
• Educate users on MFA fatigue, teaching the importance of not clicking “Accept” just to make the MFA push prompts stop
• Enforce the use of long complex passwords/passphrases

Identifying Malicious Activity:

• Implement custom activity policy for Microsoft Defender for Cloud Apps to identify logons with matching user agent string
  • Create an Activity Policy
  • Under Act On, select Single Activity
  • Select the Following Filters:
    • Activity Type equals Log on
    • User agent string contains fasthttp
  • Governance Actions recommendations:
    • The All Apps Options:
      • Suspend Microsoft Entra User (Optional)
      • Require User to Sign in Again
      • Confirm user Compromised
    • The Microsoft 365 Options:
      • Suspend User in App
      • Require User to Sign in Again
      • Confirm User Compromised
  • See Figure 1 for an example

Additional information

The goal of this campaign is to gain illicit access to organizations Microsoft 365 accounts. The campaign has been ongoing since at least January 6th. The use of FastHTTP enables threat actors to automate this activity and increase the overall number of attacks. In a bruteforce attack scenario, threat actors repeatedly attempt to gain access to an account via password attempts. In an MFA Fatigue scenario, threat actors repeated triggering MFA notifications until a user accepts the MFA request, either accidentally or out of frustration.

According to SpearTip, the success rate of this activity is just under 10%, as over 40% of attacks fail, 21% lead to account lockouts due to existing security controls, 10% are prevented by strong MFA, and 17% are detected due to policy violations. These attacks result in the takeover of Microsoft 365 accounts, which can then be used by threat actors for a variety of malicious purposes, including direct data theft or secondary attacks, such as Business Email Compromise. To prevent this activity, organizations can create conditional access policies to allow users to login only from approved devices and specific IP ranges.

References:

[1] https://www.speartip.com/fasthttp-used-in-new-bruteforce-campaign/
[2] https://learn.microsoft.com/en-us/mem/intune/protect/device-compliance-get-started
[3] https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-assignment-network
[4] https://techcommunity.microsoft.com/blog/identity/defend-your-users-from-mfa-fatigue-attacks/2365677
[5] https://learn.microsoft.com/en-us/defender-cloud-apps/user-activity-policies