On January 13th, the SpearTip Security Operations Center, in partnership with the Managed SaaS Alerts team, uncovered a brute-force campaign leveraging the fasthttp library. Fasthttp, a high-performance HTTP server and client library for Go, is designed to enhance efficiency in handling HTTP requests. However, its capabilities are now being exploited to conduct unauthorized login attempts and spam multi-factor authentication (MFA) requests, particularly targeting the Azure Active Directory Graph API (Application ID: 00000002-0000-0000-c000-000000000000). This malicious activity was first detected on January 6th, 2025.
Geolocation and Source of Attacks
Analysis of the threat revealed that a significant portion of the attack traffic, approximately 65%, originated from Brazil. Other countries contributing to the activity include Turkey, Argentina, Uzbekistan, Pakistan, and Iraq, each accounting for 2-3% of the traffic. The widespread use of diverse IP addresses and ASN providers indicates a coordinated effort to obscure the attackers’ origins. Detailed indicators of compromise (IOCs) are documented in Appendix A.
Observed Activity Rates
During the investigation, several types of malicious activities were observed. Authentication failures were the most common, comprising 41.53% of the detected incidents, indicating numerous unsuccessful login attempts with incorrect credentials. Account lockouts due to brute-force attempts accounted for 20.97%, reflecting the effectiveness of protection policies in halting repeated failed logins. Conditional access violations were also noted at a rate of 17.74%, often triggered by attempts to bypass geo-restrictions or device compliance requirements. Furthermore, 10.08% of the activities involved failed MFA authentication, suggesting that attackers were attempting to overwhelm the MFA system without success. Alarmingly, 9.68% of the incidents involved successful authentications from unexpected or unauthorized locations, highlighting the potential for compromised access.
Detection Tool: PowerShell Script
SpearTip has also released a PowerShell script to assist in the detection of fasthttp user agents in audit logs. The script, which outputs findings to the console and generates an output file, can be downloaded from SpearTip’s repository. It is crucial to verify the integrity of the download using the provided SHA1 checksum.
SpearTip’s Response
SpearTip has proactively addressed this threat by notifying affected clients and collaborating with the Managed SaaS Alerts team to disseminate IOCs. Additionally, a SaaS Alerts Respond rule has been created and deployed to automatically remediate fasthttp-related activity. This rule is now available to the SaaS Alerts Saa$y community to bolster collective defenses.
What SOC Teams Need to Know
Understanding the nuances of this campaign and how it exploits vulnerabilities is essential for SOC teams to effectively safeguard their environments. Here’s an in-depth look at the critical areas SOC teams must focus on to tackle this evolving threat:
1. Understanding the Fasthttp Library
Fasthttp is designed for high-performance HTTP request handling, offering significant advantages over Go’s standard net/http package, including improved throughput and lower latency. While these attributes are beneficial for legitimate uses, threat actors have exploited these same efficiencies to execute brute-force attacks more effectively. SOC teams need to familiarize themselves with the signatures and behaviors associated with fasthttp to differentiate between normal and malicious usage.
2. Indicators of Compromise (IOCs)
SOC teams must actively monitor for specific IOCs related to the fasthttp campaign. This includes unusual login attempts to the Azure Active Directory Graph API, particularly those originating from regions with a high concentration of attack traffic such as Brazil, Turkey, and Argentina. IOCs should include:
- User Agents: Look for “fasthttp” entries in log files.
- IP Addresses: Cross-reference IPs from known malicious regions or ASN providers listed in Appendix A.
- Unusual Patterns: Identify spikes in failed login attempts, MFA spamming, or logins from unexpected geographic locations.
3. Log Analysis and Filtering
SOC teams should leverage the Microsoft Entra ID Sign-in logs, using the “Other Clients” filter to detect suspicious activities. It’s vital to review logs meticulously, focusing on the “User Agent” field for fasthttp-related entries. Additionally, using Microsoft Purview for keyword searches can provide a broader view of potential compromise points.
4. Proactive Threat Hunting
Engaging in proactive threat hunting is essential for early detection. SOC teams should set up automated rules to flag behaviors consistent with fasthttp exploitation. This includes monitoring for high rates of authentication failures, conditional access violations, and successful authentications from new or unexpected locations. Tools like the PowerShell script provided by SpearTip can streamline the detection process.
5. Response Strategies
Once fasthttp activity is detected, immediate action is critical. SOC teams should:
- Expire Sessions: Forcefully log out users associated with compromised credentials to prevent further unauthorized access.
- Credential Reset: Implement mandatory password resets for affected accounts, ensuring the new credentials are strong and unique.
- MFA Verification: Double-check MFA settings for compromised accounts. Ensure no unauthorized devices are linked and re-enroll legitimate devices as necessary.
- System Hardening: Apply the latest security patches to vulnerable systems and reinforce perimeter defenses to reduce the attack surface.
6. Communication and Coordination
Effective incident response requires clear communication across the organization. SOC teams should:
- Notify Stakeholders: Inform relevant departments, including IT, compliance, and executive management, about the incident and the ongoing response efforts.
- Educate Users: Conduct awareness training to help users recognize signs of phishing attempts and the importance of not approving unsolicited MFA requests.
- Coordinate with Partners: Work with external security partners and vendors, such as SaaS providers, to share IOCs and enhance collective defense mechanisms.
7. Long-Term Mitigation
To mitigate future threats, SOC teams should focus on:
- Enhanced Monitoring: Implement advanced monitoring tools that use machine learning to detect anomalous behavior indicative of new attack vectors.
- Regular Audits: Conduct periodic security audits of all systems and applications to ensure configurations are secure and up-to-date.
- Policy Updates: Review and update security policies, particularly those related to access controls, password management, and MFA enforcement.
By focusing on these areas, SOC teams can strengthen their defenses against fasthttp-based brute-force campaigns and similar threats.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
https://www.netizen.net/contact
