- A new password spraying attack has been recently observed
- He targets organizations and M365 accounts in the West
- The attack focuses on non -interactive signs
Pirates, possibly Chinese affiliation, target organizations in the West with a large -scale password spray attack, experts said.
A report by Cybersecurity Researchers SecurityScorecard indicates that companies based on Microsoft 365 Office software for emails, document storage and collaboration are particularly at risk.
SecurityScorecard said that he had found evidence of “threatening actors affiliated to China” using infrastructures “linked to” CDS Global Cloud and UCLOUD HK, suppliers with “operational links” with China. The researchers also said they saw servers hosted in Sharktech used for the C2 CAMP. Sharktech would be a supplier based in the United States who has welcomed a malicious activity in the past.
Microsoft 365 targeted by attacks
Password spraying is hardly new, but there are things that make this campaign stand out in particular dangerous, such as the exploitation of non -interactive signals. This helps attackers to avoid being detected by traditional security checks.
“As a rule, password spraying leads lockouts that alert security teams,” explain the researchers. “However, this campaign specifically targets non -interactive signs, used for service authentication, which do not always generate security alerts. This allows attackers to operate without triggering defenses in MFA or conditional access policies (CAP), even in highly secure environments. »»
The attackers opt for Microsoft 365 accounts, SecurtysCorecard has still stressed, mainly in the organizations of financial and insurance services. However, health care, government and defense, technology and SaaS, as well as education and research, are also major objectives.
The researchers believe that the attack is important because it bypassing modern defenses, and it is probably the action of the Chinese government. As such, western organizations should be particularly cautious, by examining non -interactive connection logs for unauthorized access attempts, run identification information for all reported accounts and deactivate protocols d ‘Authentication inherited. In addition, they must monitor the stolen identification information linked to their organizations and implement conditional access policies.
“These results of our intelligence team on strike threats reinforce how opponents continue to find and exploit gaps in authentication processes,” said David Mound, intelligence researcher on the threat to SecurityScorecard. “Organizations cannot afford to assume that MFA alone is a sufficient defense. Understanding the nuances of non -interactive connections is crucial to fill these shortcomings. »»
