Microsoft 365 Under Siege: Botnet Leverages Infostealer Logs in Password Spraying Campaign

Đinh Văn MạnhĐinh Văn Mạnh
4 min read

Overview

SecurityScorecard has detected an ongoing attack campaign using a massive botnet of over 130,000 compromised devices to target Microsoft 365 (M365) accounts through large-scale password spraying attacks. The unique aspect of this campaign is the exploitation of non-interactive logins using Basic Authentication, which allows bypassing modern login protections and avoiding the enforcement of multi-factor authentication (MFA). This threat actor is leveraging stolen credentials from infostealer logs, enabling the system to target accounts on a large scale. These attacks are recorded in Non-Interactive Sign-In logs, which are often overlooked by security teams.

Key Points

  • Threat actor: Suspected to be linked to China.

  • Target: Microsoft 365 accounts.

  • Technique: Password Spraying, abusing basic authentication, exploiting non-interactive logins, using stolen credentials from infostealer logs, and evading via proxy.

  • Infrastructure: 6 Command & Control (C2) servers located in the US, using proxies at UCLOUD HK and CDS Global Cloud.

  • Impact: Account takeover, business disruption, lateral movement, MFA evasion, and bypassing Conditional Access Policies (CAP).

Technical Analysis

  • Password Spraying and Non-Interactive Logins: This campaign exploits a vulnerability in how Microsoft 365 handles non-interactive logins. These logins, often used for legacy protocols like POP, IMAP, SMTP, and automated processes, do not trigger MFA in many configurations. Basic Authentication, although being phased out, is still enabled in some environments, allowing credentials to be transmitted in plain text or base64 encoded, making it a prime target for threat actors.

  • Indicators of Compromise - IoCs:

    • Unusual non-interactive login attempts in the Entra ID Non-Interactive Sign-In logs.

    • Multiple failed login attempts for an account from various IP addresses.

    • User-Agent strings associated with automation tools (e.g., "fasthttp").

    • Communication to any IP addresses identified as C2:

        70.39.115[.]74
  70.39.120[.]10
  204.188.218[.]178
  204.188.218[.]179
  204.188.210[.]226
  204.188.210[.]227

Infrastructure Analysis

  • C2 Structure: The C2 servers run Apache Zookeeper and Kafka, indicating a distributed and complex structure. Zookeeper is used to manage and coordinate the botnet network, while Kafka handles data streams. The server's time zone is set to "Asia/Shanghai," suggesting the campaign's origin.

  • Additional Information About Servers Hosting in the US:

    • Servers hosting in the US have an "F" rating on the SecurityScorecard TPRM platform, which is strongly correlated with the risk of breaches.

    • There are at least 11 IP addresses on most public IP blocklists.

    • 246 IPs run SMTP on non-standard ports.

    • 274 potentially unwanted applications/trackers are being hosted.

  • Common C2 Ports:

PortsServiceUse as Needed
1002Not assignedNot clear
2181ZookeeperManaging distributed botnet structure with Kafka
3306MySQLStoring stolen data or botnet configuration
6379RedisKey-value store for botnet tasks
7779Not clearNot clear
8081Web Jetty serviceZookeeper query service
10050Zabbix AgentPotential botnet monitoring
33060MySQL X ProtocolUse with MySQL service
12341C2 botnet channel (Client registration)
12342Can be used to assign tasks to infected machines
12347Exfiltrate data or C2 backup
12348Execute main C2 command

Analyzing the correlation between users identified in non-interactive logs and compromised credentials shows matching results for affected users. This confirms that the threat actor is using stolen credentials from infostealer logs.

Recommendations

  1. Disable Basic Authentication: Completely disable basic authentication to prevent this type of attack.

  2. Use Multi-Factor Authentication (MFA): Require MFA for all accounts.

  3. Enforce Conditional Access Policy (CAP): Use CAP to restrict access based on factors like location, device, and login risk.

  4. Monitor Logs: Continuously monitor login logs, especially non-interactive login logs, to detect suspicious activities.

  5. Monitor Leaked Credentials: Watch underground forums for leaked credentials and proactively reset compromised accounts.

  6. Block IP Addresses: Block IP addresses associated with botnet networks.

Conclusion

This botnet campaign highlights the importance of stopping the use of basic authentication, actively monitoring login patterns, and implementing strong detection mechanisms for password spraying attempts. The threat actor's use of Non-Interactive Login logs to evade MFA and possibly Conditional Access Policies emphasizes the need for organizations to reassess their authentication strategies. Additionally, organizations should monitor leaked credentials on underground forums and take swift action to reset compromised accounts.

References

  1. Botnet targets Basic Auth in Microsoft 365 password spray attacks

  2. Massive Botnet Targets M365 with Stealthy Password Spraying Attacks

  3. Microsoft 365 at risk: massive botnet targeting users in password spraying attacks

  4. Microsoft Password Spray And Pray Attack Targets Accounts Without 2FA

1
Subscribe to my newsletter

Read articles from Đinh Văn Mạnh directly inside your inbox. Subscribe to the newsletter, and don't miss out.

threat intelligencebotneto365

Written by

Đinh Văn Mạnh
Đinh Văn Mạnh