CybersecurityThreat Intelligence
Lazarus APT Remote-Worker Scheme Captured Live
A joint investigation has uncovered North Korea's Lazarus Group's infiltration scheme using remote IT workers. Researchers captured operator...
6 months ago
CybersecurityThreat Intelligence
Microsoft Entra ID Accounts Targeted in Password-Spraying Attacks
12 months agoUS
Cybersecurity researchers have uncovered a large-scale account takeover campaign targeting Microsoft Entra ID accounts, utilizing the open-source TeamFiltration penetration testing framework. The campaign, dubbed UNK_SneakyStrike, has compromised over 80,000 accounts across numerous organizations since December 2024.
Key Insights
•
The UNK_SneakyStrike campaign has targeted over 80,000 Microsoft Entra ID user accounts since December 2024, resulting in successful account takeovers.
•
Attackers are leveraging the TeamFiltration framework, originally designed for penetration testing, to perform password-spraying attacks and data exfiltration.
•
The attacks originate primarily from the United States (42%), Ireland (11%), and Great Britain (8%).
•
The campaign targets all user accounts in smaller cloud tenants but focuses on a subset of users in larger tenants.
In-Depth Analysis
The UNK_SneakyStrike campaign highlights the risks associated with the misuse of legitimate security tools. TeamFiltration, released in 2022, provides capabilities for enumerating, spraying, exfiltrating, and backdooring Entra ID accounts. Attackers are using the tool to perform password-spraying attacks, attempting common passwords against a large number of accounts.
The attackers use AWS servers in various geographical regions and a disposable Microsoft 365 account to facilitate password spraying and account enumeration. This allows them to launch attacks from different locations, making them harder to trace.
Organizations can mitigate these attacks by:
1.
Enabling multi-factor authentication (MFA) for all users.
2.
Enforcing OAuth 2.0.
3.
Using conditional access policies in Microsoft Entra ID.
4.
Monitoring and logging logins, and regularly reviewing the logs.
5.
Disabling unused accounts.
This campaign underscores the importance of robust identity and access management practices to protect against account takeover attacks.
FAQs
•
Q: What is TeamFiltration?
TeamFiltration is an open-source penetration testing framework that can be used to enumerate, spray, exfiltrate, and backdoor Entra ID accounts.
•
Q: What is password spraying?
Password spraying is a type of attack where attackers try common passwords against many different accounts.
•
Q: What is UNK_SneakyStrike?
UNK_SneakyStrike is the codename given to the account takeover campaign that leverages the TeamFiltration framework.
Key Takeaways
•
Be aware of the risks associated with password-spraying attacks.
•
Implement multi-factor authentication (MFA) to protect your accounts.
•
Monitor your Microsoft Entra ID environment for suspicious activity.
•
Ensure your organization has strong identity and access management practices in place.
Discussion
Do you think organizations are doing enough to protect against password-spraying attacks? Share your thoughts in the comments below!
Share this article with others who need to stay ahead of this trend!
Related Articles
CybersecurityThreat Intelligence
Salt Typhoon's Unconventional Hacking Techniques Inspire New Cyber Threats
A Chinese hacking group known as Salt Typhoon has inspired a new wave of cyberattacks targeting major telecommunications providers and criti...
9 months ago
⚠ Disclaimer: Yanuki provides article summaries and links for reference only. Yanuki does not endorse, verify, or guarantee the accuracy of third-party sources. Please review original sources and verify information independently. Managed by the Yanuki Data Engine. Full Disclaimer