Hackers Target Microsoft 365 With Hight Speed Attack: Cyber Security Today for January 17, 2025 - Cybersecurity Today

Summary5 min read

Cybersecurity Today: Hackers Target Microsoft 365 With High-Speed Attack

Podcast Title: Cybersecurity Today
Host: Jim Love
Episode: Hackers Target Microsoft 365 With High-Speed Attack
Release Date: January 17, 2025

Jim Love delves into the latest cybersecurity threats impacting businesses worldwide in this episode of Cybersecurity Today. Covering high-speed attacks on Microsoft 365, sophisticated job scams orchestrated by North Korea's Lazarus Group, and a significant data leak from FortiGate devices, Love provides listeners with comprehensive insights and actionable advice to safeguard their organizations.

1. High-Speed Brute Force Attacks on Microsoft 365 Accounts

Attack Vector and Mechanism

Jim Love opens the episode by highlighting a sophisticated campaign targeting Microsoft 365 accounts using the Fast HTTP GO library. Detected by incident response firm Speartip, this campaign leverages the Fast HTTP library—a high-performance HTTP tool for the Go programming language—to automate unauthorized login attempts. The primary target is the Azure Active Directory Graph API, a critical component for managing Microsoft 365 services.

Global Impact and Success Rate

The campaign, which commenced on January 6th, predominantly emanates from Brazil, accounting for 65% of the attack traffic, with significant activities also reported from Turkey, Argentina, and other regions. While the majority of these brute force attempts are thwarted or blocked, a concerning 9.7% of the attacks successfully authenticate, posing substantial risks for account takeovers.

Attack Tactics and Threats

In addition to brute force methods, attackers are employing multi-factor authentication (MFA) fatigue tactics. This strategy involves bombarding users with repeated MFA challenges, increasing the likelihood of users inadvertently granting access by repeatedly confirming authentication prompts.

Expert Guidance and Mitigation Strategies

Speartip has issued critical guidance to counteract these threats. Jim Love references a PowerShell script provided by Speartip designed to detect the Fast HTTP user agent in system logs. Administrators are urged to:

Immediately reset any compromised accounts.
Review and monitor authorized MFA devices.
Follow the indicators of compromise (IoCs) outlined in Speartip's comprehensive report.

Love emphasizes the importance of enforcing robust MFA policies and maintaining vigilant monitoring practices to protect sensitive data from such high-velocity attacks.

Notable Quote:
Jim Love states at [05:30], “This campaign highlights the importance of enforced MFA policies and vigilant monitoring to protect your sensitive data.”

2. North Korea’s Lazarus Group Launches Operation 99

Sophisticated Job Scams Targeting Developers

The episode transitions to discuss the alarming activities of North Korea's Lazarus Group, an advanced persistent threat (APT) known for its cyber espionage and financial theft operations. Their latest initiative, Operation 99, represents a significant evolution in their tactics to compromise software developers.

Operation 99 Explained

Operation 99 involves the use of AI-generated recruiter profiles on LinkedIn, coupled with compromised legitimate accounts, to offer enticing job opportunities to freelance software developers. This campaign builds on previous Lazarus operations like Operation Dream Job (2021) and Dev Popper, which similarly exploited job seekers but lacked the nuanced sophistication introduced in Operation 99.

Malware Deployment and Data Theft

Once developers succumb to the scam and clone the malicious Git repositories, malware such as Main 99 and Payload 99 are deployed. These malware variants are designed to:

Steal source code and cryptocurrency wallet keys.
Extract other sensitive data.
Operate across multiple operating systems, including Windows, macOS, and Linux.
Implement tools for keylogging, clipboard monitoring, and credential theft.

Expert Commentary and Recommendations

Ryan Shirtstabitoff, Senior VP of Threat Research at Security Scorecard, underscores the heightened sophistication of these scams:
“By presenting complete and convincing profiles, attackers offer what seems to be genuine job opportunities.” ([12:45])

Experts advise developers to exercise extreme caution when encountering job offers that require repository cloning or software downloads. As Shirtstabitoff warns,
“If a job opportunity seems too good to be true, it likely is.” ([13:10])

Organizations are encouraged to reinforce social engineering awareness and implement stringent cybersecurity best practices to defend against such deceptive tactics.

3. Belson Group Leaks Data from 15,000 FortiGate Devices

Massive Data Breach Exposure

Jim Love brings attention to a significant data breach orchestrated by a new hacking group known as the Belson Group. This breach has resulted in the leakage of sensitive information from over 15,000 FortiGate devices, impacting organizations globally.

Details of the Compromised Data

The leaked data, available on the Dark Web, includes:

VPN credentials
Private keys
Firewall configurations

The data is meticulously organized by country and device IP address, presenting a detailed blueprint that cybercriminals can exploit to penetrate networks further.

Exploitation of Zero-Day Vulnerability

The breach exploits a zero-day vulnerability in FortiGate devices' firmware, identified as CVE2022-4684. Discovered in 2022, this flaw allowed attackers to access device configurations and establish rogue super admin accounts.

Despite Fortinet releasing a patch in October 2022, many devices remain unpatched or misconfigured, leaving them vulnerable even years after the initial discovery.

Expert Analysis and Urgent Recommendations

Kevin Beaumont, a renowned cybersecurity expert, confirmed the authenticity of the leaked data and expressed grave concerns:
“The data appears to have been assembled in October 2022, but its release now makes it a ticking time bomb.” ([20:15])

Given the organized nature of the leak, Beaumont warns of the renewed threat it poses to organizations using FortiGate devices. This incident is reminiscent of a similar attack in 2021, where nearly 500,000 VPN credentials were exposed.

Protective Measures for Affected Organizations

Organizations utilizing FortiGate devices are urged to take immediate action:

Reset All Compromised Credentials: Ensure that any potentially affected accounts are secured by changing passwords and tokens.
Update Firmware: Apply the latest patches provided by Fortinet to mitigate vulnerabilities.
Conduct a Thorough Configuration Review: Examine and revise firewall settings and VPN configurations to prevent unauthorized access.
Monitor for Indicators of Compromise (IoCs): Utilize tools and scripts, such as the one Beaumont plans to release, to identify and address any signs of breach.

Jim Love emphasizes the critical nature of these steps to prevent further exploitation and secure organizational networks against the Belson Group’s sophisticated breach.

Conclusion: Vigilance and Proactive Defense are Paramount

In this episode of Cybersecurity Today, Jim Love underscores the evolving landscape of cyber threats—from high-speed brute force attacks on Microsoft 365 to intricate job scams targeting developers, and substantial data breaches jeopardizing organizational security. The recurring theme is the necessity for proactive defense mechanisms, encompassing robust authentication policies, continuous monitoring, and employee awareness.

Organizations are reminded that cybersecurity is an ongoing process, requiring constant vigilance and adaptation to emerging threats. By implementing the recommended strategies and staying informed about the latest attack vectors, businesses can better safeguard their sensitive data and maintain resilience against the ever-present risks in the digital realm.

For more detailed information, listeners are encouraged to access Speartip's full report and follow the guidance provided by cybersecurity experts referenced throughout the episode.

This summary captures the critical discussions and expert insights from Jim Love's January 17, 2025 episode of Cybersecurity Today, providing a comprehensive overview for those seeking to understand and mitigate current cybersecurity threats.

Loading summary

Transcript1 lines

[00:01]
Jim Love
Hackers exploit a high speed Go library to target Microsoft 365 accounts worldwide. North Korea's Lazarus Group lures developers with AI enhanced jobs and 15,000 Fortigate devices exposed as hackers leak sensitive VPN credentials and configurations. This is Cybersecurity Today. I'm your host Jim Love. Threat actors are using the Fast HTTP GO library to launch high speed brute force password attacks on Microsoft 365 accounts worldwide detected by incident response firm Speartip. This campaign began on January 6th and primarily targets the Azure Active Directory Graph API. Fast HTTP, a high performance HTTP library for the Go programming language, is being exploited to automate unauthorized login attempts. Attackers are also leveraging multi factor authentication fatigue tactics, bombarding users with repeated MFA challenges to gain access. An investigation revealed that 65% of the attack traffic originates from Brazil, with significant activity from Turkey, Argentina and other While most attacks fail or are blocked, a concerning 9.7% successfully authenticate. Underscoring the risks of account takeovers, Speartip has issued guidance including a PowerShell script to detect the fast HTTP user agent in logs. Administrators should immediately reset compromised accounts, review authorized MFA devices and follow indicators of compromise outlined in the report. This campaign highlights the importance of enforced MFA policies and vigilant monitoring to protect your sensitive data. You can read more on Speartip's full report. There's a link in the show, notes North Korea's Lazarus, an advanced persistent threat group, is once again using clever tricks to target developers looking for jobs. Their latest campaign, dubbed Operation 99, disguises attackers as recruiters on LinkedIn, offering lucrative job opportunities. The goal? To trick freelance software developers into cloning malicious git repositories loaded with malware. Now, this isn't Lazarus's first foray into job scams. Previous campaigns like Operation dream job in 2021 and dev popper have exploited job seekers. But Researchers note that Operation 99 takes things to a new level. They have AI generated recruiter profiles combined with compromised LinkedIn accounts, which make these scams highly convincing, according to Ryan shirtstabitoff, the senior VP of threat research for a firm called Security Scorecard. By presenting complete and convincing profiles, attackers offer what seems to be genuine job opportunities. Now, once developers clone the malicious repositories, malware names like Main 99 and Payload 99 spring into action. They steal source code, cryptocurrency, wallet keys, and other sensitive data. The malware also works across operating Systems, targeting Windows, macOS and Linux, with tools for key logging, clipboard monitoring and credential theft. Experts warn developers to treat job offers involving repository cloning or software downloads with caution. As Schurz Bitkoff puts it, if a job opportunity seems too good to be true, it likely is. Employers are urged to reinforce social engineering awareness and emphasize cybersecurity best practices to guard against these sophisticated attacks. A new hacking group known as the Belson Group has leaked sensitive data from over 15,000 FortiGate devices. The stolen information, published on the Dark Web, includes VPN credentials, private keys, and firewall configurations, exposing organizations to serious risks. This breach reportedly stems from attacks in 2022 that exploited a zero day vulnerability in 40 OS firmware. The flaw, tracked as CVE2022 4684, allowed attackers to access device configurations and create rogue super admin account. Despite Fortinet releasing a patch in October 2022, many devices remain unpatched or misconfigured, making them vulnerable even now. What makes this leak particularly dangerous is how organized the stolen data is. The files sorted by country and device IP address provide a blueprint for cybercriminals to penetrate networks. Cybersecurity expert Kevin Beaumont confirmed the authenticity of the data, warning that it poses a renewed threat. The data appears have been assembled in October 2022, but its release now makes it a ticking time bomb. This isn't the first time Fortnet has been targeted. In 2021, nearly 500,000 VPN credentials were exposed in another attack. Organizations using fortigate devices are urged to act immediately. Beaumont plans to release a list of impacted IPs to help administrators determine if they're at risk. In the meantime, administrators should reset credentials, update firmware, and conduct a thorough review of configurations to ensure their networks are secure. And that's our show for today. You can reach me with tips, comments, and even the occasional constructive criticism at editorialechnewsday ca I'm your host Jim Love. Thanks for listening.