Cyber criminals are increasingly utilizing legal HTTP client tools to promote account takes over (ATO) attacks in the Microsoft 365 environment.
Enterprise Security Company ProofPointは、HTTPクライアントAxiosとNode Fetchを使用してHTTPリクエストを送信し、ATO攻撃を実施することを目的としてWebサーバーからHTTP応答を受信したキャンペーンを観察したと述べました。
“These tools, which were originally procured from public repositories such as GitHub, are increasingly used in attacks such as intermediate people (AITMs) and Blue Force Techniques, leading to many account acquisition (ATO) case.
The use of the HTTP client tool for the Blue Force Attack has been a long -term trend since at least February 2018, and has been targeting the Microsoft 365 environment until at least early 2024, using the OKHTTP client variations. 。
However, by March 2024, ProofPoint has a wide range of HTTP as the attack has expanded a new high, as 78 % of the Microsoft 365 tenants will be targeted at least once by the ATO attempt by the last half by the last half. He stated that the client has begun to observe the traction. year.
“In May 2024, these attacks peaked and targeted a cloud account using millions of hijacked housing IPs,” said Akselevich.
The amount and diversity of these attacks are proven by the emergence of HTTP clients such as AXIOS, Go Resty, Node Fetch, and Python requests, which combines the accuracy targeting and the higher compromise rate of AITM techniques. 。
AXIOS is designed for node.js and browsers, which can be paired with AITM platforms such as Evilginx to enable theft of qualification and multi -factor authentication (MFA) code. Masu.
Threat -related people hide evidence of malicious activities, steal confidential data, and to register new OAuth applications with excessive permission scope to establish permanent remote access to infringed environments The box rule settings are also observed.
The AXIOS campaign is said to have mainly selected high -value goals such as executives, financial staff, account managers, and operational staff throughout the vertical department of transportation, construction, finance, IT, and health care.
It has been evaluated that more than 51 % of the target organization will be affected by the success of 43 % of the leading user account between June and November, 2024.
Cyber Security companies have recorded more than 13 million login trials since June 9, 2024, recorded over 66,000 malicious attempts in over 66,000 trials per day, and Node Fetch and Go Resty Client He said that a large password spray campaign using was also detected. However, the success rate remained low, and it affected only 2 % of the target entity.
So far, target user accounts of more than 178,000 organizations have been identified, and most of them are not being protected, especially protected, and may be weapons for other campaigns or sold to different threat actors. Belongs to student user account.
“The threat actor tools for ATO attacks have evolved very much, and a variety of HTTP client tools are used to exploit the API and make HTTP requests,” said Akselevich. “These tools provide clear advantages and make attacks more efficient.”
“Given this trend, the attacker continues to switch HTTP client tools, uses new technologies to adapt strategies to avoid detection, and reflects a more extensive pattern of evolution and enhances the effectiveness. , Minimize exposure.
Source link
