One Article Review
| Source |  ProofPoint |
|---|---|
| Identifiant | 8644697 |
| Date de publication | 2025-01-30 08:54:57 (vue: 2025-01-30 10:08:05) |
| Titre | HTTP Client Tools Exploitation for Account Takeover Attacks |
| Texte | Key takeaways According to Proofpoint findings, 78% of Microsoft 365 tenants were targeted at least once by an account takeover attempt utilizing a distinct HTTP client. Most HTTP-based cloud attacks utilize brute force methods, resulting in low success rates. Proofpoint researchers found that a recent campaign using the unique HTTP client Axios had an especially high success rate, compromising 43% of targeted user accounts. Proofpoint researchers identified a brute force campaign, distinguished by its high velocity and distributed access attempts, utilizing the Node Fetch client. Overview HTTP client tools are software applications or libraries used to send HTTP requests and receive HTTP responses from web servers. These tools allow users to craft requests with various HTTP methods (e.g., GET, POST, PUT, DELETE), customize headers, include payloads, and inspect server responses. Proofpoint has observed a rising trend of attackers repurposing legitimate HTTP client tools, such as those emulating XMLHttpRequest and Node.js HTTP requests, to compromise Microsoft 365 environments. Originally sourced from public repositories like GitHub, these tools are increasingly used in attacks like Adversary-in-the-Middle (AitM) and brute force techniques, leading to numerous account takeover (ATO) incidents. This blog explores the historical and current use of HTTP clients in ATO attack chains, shedding light on the evolving tactics of threat actors. Historical trends In February 2018, Proofpoint researchers identified a widespread malicious campaign targeting thousands of organizations worldwide, leveraging an uncommon OkHttp client version (\'okhttp/3.2.0\') to target Microsoft 365 environments. Using dedicated hosting services in Canada and the U.S., the attacker consistently launched unauthorized access attempts for nearly four years, focusing on high-value targets such as C-level executives and privileged users. According to Proofpoint research, much of the targeted users\' data seems to have come from breaches like the 2016 LinkedIn credentials leak, enabling attackers to launch sizeable attacks against thousands of organizations. In addition, further analysis revealed that these OkHttp-based activities were just the initial stage of a sophisticated attack chain. It turned out that threat actors employed user enumeration methods to identify valid email addresses before executing other threat vectors, such as spear phishing and password spraying. This technique generated high volumes of login attempts, mostly aimed at nonexistent accounts. By 2021, the campaign peaked with tens of thousands of attacks monthly but significantly declined by late 2021, signaling a shift in attackers\' tactics. Current trends Since 2018, HTTP clients remain widely used in ATO attacks. According to Proofpoint threat researchers, early 2024 saw OkHttp variants dominate, but by March 2024, a broader range of HTTP clients gained traction. Moreover, in terms of scale, the second half of 2024 saw 78% of organizations experience at least one ATO attempt involving an HTTP client, a 7% increase from the prior six months. During this time, newly observed HTTP clients, like \'python-request,\' were being integrated into brute force attack chains, significantly increasing threat volume and diversity. In May 2024, these attacks peaked, leveraging millions of hijacked residential IPs to target cloud accounts. ATO attacks leveraging HTTP clients by volume of affected user-accounts (JAN – DEC 2024). In fact, most HTTP-based ATO attacks are brute force attempts with low success rates. However, Proofpoint investigated more effective threats, such as a recent campaign using the Axios HTTP client, which combines precision targeting with Adversary-in-the-Middle (AitM) techniques. This approach achieved a monthly average success rate of 38% when trying to compromise user accounts, by effectively overcoming modern security measu |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | email in stolen +https://github 0 000 000+ 1 175 178 2 2016 2018 2021 2024 3 365 4 5 65a916cbc80e5 65a9b4549d87a 667af91ca5068 7 8 9 ability access according account accounts accurate achieved across activities activity actor actors adapting addition additional addresses adoption advantages adversary affected after against agent agents aimed aitm aligning allow allows analysis api apis appearance application applications approach apps are assets ato attack attacker attackers attacks attacks attempt attempts aug august authentication automation average averaging avoiding axios axios/0 axios/1 based baxet been before being between black blog boosters borne both breaches broader browsers brute bulk business but campaign campaigns can canada cancellation capabilities capable cases ceased center chain chains change clear clearly client client/1 client/2 clients clients cloud clusters com/bitinn/node com/go combine combines combining come compromise compromise compromising confidence connections consistently constant construction continue corporation craft created creates creation credential credentials current customize cybercriminals daily data date day dec dec december declined declining dedicated delete description despite detection detections digital/auth distinct distinguished distributed diversity dominate during each early easy education effective effectively effectiveness efficacy efficient electric email employed emulating enables enabling end enhance enhances enumeration environment environments especially establishing europe evade evasion every evidence evilginx evolution evolved evolving excessive executing executives exfiltrate exfiltration expect experience explanations exploitation exploiting explores exposure extensive faced facilitate fact far february fetch fetch fetch/1 fidelity finance financial findings first fluctuated fluctuating focusing following force found four fraud frequently fridays from full further future gained generated get github given global go: going gradually greatly had half has have headers healthcare help high higher hijacked historical hosting hours however http http/rest https https://c https://github https://nc https://www hurricane hybrid identified identified identify impact impacted impacting inc incidents include including increase increased increasing increasingly indicating indicator indicators industries inform infrastructure infrastructure initial inspect integrated intel intercepted interception internet investigated involving ips its jan jun june just key lacks landscape large late launch launched leading leak least legitimate less level leverage leveraged leveraging libraries light like likely linked linkedin links list llc llc logged login low lowest m247 mail mailbox mainly making malicious malware managers march massive may measures mesa methods mfa microsoft middle million millions minimize minor model modern modifies monthly months more moreover most mostly mt6 much multifactor namecheap native nearly need new newly next node nonexistent november numerous oauth obfuscates observables observables observed oct october offer office officers offline often okhttp okhttp/3 okhttp/4 once one ongoing only operates operational org/auth organizations originally other out over overall overcoming overview paired part particularly password pattern patterns payloads peaked peaking permission permissions persist persistent phishing platforms post potential precision primarily prior prioritized privileged promise proofpoint protected proxies proxy public put python quickly range rapid rate rates receive recent recommended recommends reflecting registered registers relatively remain reply repositories repurposing request requests requests/2 research researchers residential resources responses resty resty/2 resty/resty resulting revealed reveals reverse rising roles rose rotating roughly rules russia s |
| Tags | Spam Malware Tool Threat Prediction Medical Cloud Technical |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.