Overview

A sophisticated cyber threat has emerged, involving a botnet comprising over 130,000 compromised devices. This botnet is executing large-scale password spraying attacks targeting Microsoft 365 (M365) accounts. By exploiting outdated authentication protocols, the attackers aim to gain unauthorized access to sensitive organizational data.

Understanding Password Spraying Attacks

Password spraying is a technique where attackers attempt a few commonly used passwords across many accounts, avoiding account lockouts that typically result from multiple failed login attempts on a single account. This method increases the likelihood of compromising accounts with weak or reused passwords.

Exploitation of Basic Authentication

The attackers are leveraging Basic Authentication (Basic Auth), an outdated protocol that transmits user credentials in plaintext or base64-encoded form. Despite Microsoft's plans to deprecate Basic Auth by September 2025, it remains active in some environments, providing a vulnerable entry point for attackers. Basic Auth lacks modern security features like Multi-Factor Authentication (MFA) and token-based authentication, making it a prime target for exploitation.

Non-Interactive Sign-Ins: A Stealthy Approach

The botnet employs non-interactive sign-ins, commonly used for service-to-service authentication and automated processes. These sign-ins often do not trigger MFA or Conditional Access Policies (CAPs), allowing attackers to bypass security measures undetected. SecurityScorecard highlights that such attacks are recorded in non-interactive sign-in logs, which are frequently overlooked by security teams, creating a critical blind spot.

Attribution and Infrastructure

While definitive attribution is ongoing, evidence suggests that the botnet may be operated by a Chinese-affiliated group. The infrastructure includes command-and-control (C2) servers hosted by U.S. provider SharkTech, with traffic routed through Hong Kong-based UCLOUD HK and China-linked CDS Global Cloud. The C2 servers utilize Apache Zookeeper and Kafka for botnet management, with system time zones set to Asia/Shanghai, indicating possible Chinese origins.

Implications and Impact

The successful execution of these attacks can lead to:

  • Unauthorized Access: Compromise of M365 accounts, granting attackers access to emails, documents, and collaboration tools.
  • Data Exfiltration: Theft of sensitive organizational data.
  • Operational Disruption: Potential disruption of business operations through account lockouts and unauthorized activities.
  • Lateral Movement: Attackers may use compromised accounts to move laterally within the network, escalating privileges and accessing additional resources.

Technical Indicators

Organizations should monitor for the following indicators of compromise:

  • Increased Non-Interactive Login Attempts: A surge in non-interactive sign-in attempts.
  • Multiple Failed Login Attempts: Failed login attempts from various IP addresses.
  • Unusual User Agents: Presence of the "fasthttp" user agent in authentication logs.

Mitigation Strategies

To defend against such attacks, organizations should:

  1. Disable Basic Authentication: Transition to modern authentication methods that support MFA.
  2. Enforce Multi-Factor Authentication: Implement MFA across all accounts, including service accounts.
  3. Implement Conditional Access Policies: Restrict non-interactive login attempts and enforce strict access controls.
  4. Monitor Authentication Logs: Regularly review non-interactive sign-in logs for unusual activity.
  5. Update and Patch Systems: Ensure all systems are up-to-date with the latest security patches.

Conclusion

The emergence of this large-scale botnet targeting Microsoft 365 accounts underscores the critical need for organizations to reassess their authentication strategies. By proactively disabling outdated protocols like Basic Authentication, enforcing MFA, and monitoring authentication logs, organizations can significantly reduce the risk of unauthorized access and protect their sensitive data.