- The pirates abuse a legitimate tool to target the identification accounts
- The password spraying attack targeted some 80,000 accounts
- The attackers managed to resume certain accounts, accessing Microsoft, OneDrive, Outlook teams
Cybercriminals have been abused by a legitimate penetration test tool to target identification user accounts entered with people with password spraying attacks, experts warned.
In an in -depth analysis shared with Techradar ProProofpoint cybersecurity researchers said tens of thousands of accounts have been targeted and some have been compromised.
The researchers said that actors in the anonymous threat engaged in a large -scale attack which they nicknamed UNK_SNAKYSTRIKE.
“Several” compromises accounts
In this campaign, the attackers used a legitimate penisting tool called teamfiltration.
This tool was created by a researcher to threat at the beginning of 2021 and published publicly in DEFCON30. It helps automate several tactics, techniques and procedures (TTP) used in modern ATO attack chains.
“As with many security tools that are originally created and published for legitimate uses, such as penetration tests and risk assessment, the earthworks team was also exploited in malicious activity,” said Proofpoint.
The researchers said that the campaign had most likely started in December 2024. By abusing Microsoft Teams and Amazon Web Services (AWS) servers located worldwide, they were able to launch user enumeration and password spraying attacks, targeting some 80,000 user accounts on approximately 100 Cloud tenants.
The three main geographies of the source from which attacks come from the United States (42%), Ireland (11%) and Great Britain (8%).
Proofpoint said that in “several cases”, the attackers managed to resume accounts, accessing valuable information in Microsoft, OneDrive, Outlook teams and other productivity tools.
There was no attribution, so we do not know if an organized threat actor sits behind this campaign. Researchers mainly focused on the use of legitimate tools for illegitimate purposes, saying that they can “easily be armed” in order to compromise user accounts, exfiltrate sensitive data and establish persistent foundations.
“Proofpoint provides that threat stakeholders will increasingly adopt advanced intrusion tools and platforms, such as the finalty team, as they rotate less effective intrusion methods.”
