- Recently a new password spray attack was observed
- It is aimed at organizations and accounts M365 in the West
- The attack focuses on non -interactive signatories
Computer pirates, possibly Chinese affiliation, are aimed at organizations in the West with a large -scale password spray attack, have stated.
A report by cybersecurity researchers Securityscorecard says that companies that depend on Microsoft 365 office software for email, document storage and collaboration have a particular risk.
Securityscorecard said he has found evidence of “threat actors affiliated with China” using infrastructure “linked to” CDS Global Cloud and Ucloud HK, suppliers with “operational ties” with China. The researchers also said they saw the servers housed in Sharktech used for the C2 of the campaign. Sharktech is supposedly an US supplier who received malicious activity in the past.
Microsoft 365 directed by attacks
Password spray is not new, but there are things that make this campaign stand out as remarkably dangerous, such as taking advantage of non -interactive firmations. This helps attackers to avoid being detected by traditional security controls.
“Usually, password spray results in blockages that alert security equipment,” the researchers explain. “However, this campaign is specifically addressed to non -interactive signatories, used for the authentication of service service, which do not always generate security alerts. This allows attackers to operate without activating MFA’s defenses or conditional access policies (CAP), even in highly safe environments. “
The attackers are looking for Microsoft 365 accounts, Securityscorecardar further emphasized, mainly in organizations in financial and safe services. However, medical care, government and defense, technology and SAAS, and education and research are also main objectives.
Researchers believe that the attack is important because it is overlooking modern defenses, and is probably the fact of the Chinese government. As such, organizations in the West must be particularly careful, review non -interactive login records for unauthorized access attempts, rotate credentials for any marked accounts and disable inherited authentication protocols. In addition, they must monitor the stolen credentials linked to their organizations and implement conditional access policies.
“These findings of our strike intelligence team reinforce how adversaries continue to find and exploit the gaps in the authentication processes,” said David Mound, a threat intelligence researcher at Securityscorecard. “Organizations cannot afford to assume that MFA is only a sufficient defense. Understanding the nuances of the non -interactive session is crucial to close these holes. “
