A botnet is currently targeting Microsoft. According to researchers at SecurityScorecard, a network of over 130,000 compromised devices is deploying attacks against Microsoft 365 accounts located around the world. The attacks are distributed across different IP addresses. This precaution allows hackers to avoid triggering a security alert.
Attacks based on stolen credentials
Active since December 2024, the botnet orchestrates so-called password sprayingattacks. This type of offensive involves trying commonly used passwords on a large number of accounts simultaneously. By multiplying the connection attempts, cybercriminals often end up finding the right combination.
To improve the effectiveness of their attacks, the botnet relies on credentials stolen upstream by infostealer viruses. This category of malware, increasingly exploited by hackers, is designed solely to suck up and exfiltrate personal data from Internet users, including logins and passwords. In short, the botnet tests already compromised combinations to see if they can unlock Microsoft 365 accounts.
Hackers bypass two-factor authentication
The botnet attempts to access Microsoft accounts using a simple authentication method, namely the traditional password, and avoiding multi-factor authentication. To bypass the double authentication system, hackers have found a trick.
Some organizations do not have the means to detect botnet attacks. Indeed, some targets are content to monitor so-called interactive connections, during which the user is involved. However, they cannot identify non-interactive connections, made by machines, such as those that constitute a botnet. In this case, the connection attempt goes unnoticed. De facto, multi-factor authentication is not triggered, which opens the door for cybercriminals to the targeted accounts. All you need is the right credentials and that's it.
Once the credentials are validated, they can be used to access services not protected by multi-factor authentication. The data can also be used in phishing attacks, the researchers report.
According to the researchers, the botnet is under the command of hackers from China. They found several clues that Chinese cybercriminals are involved, including the time zone used on the servers. For the moment, the experts have not been able to trace the origin of the attack. a particular gang.
Source: SecurityScorecard
0 Comments