Threat Brute-Force Campaign Leveraging FastHTTP

Incident Report for Rapid Response Status Page

Resolved

Dear Customers,

Following our recent update regarding the AzureAD Brute-force campaign,
We have conducted a threat hunting across all customers, Relevant hits that require your attention will be mentioned in the AXON report.

The following queries can be used by your security teams to gain relevant visibility and also to conduct threat-based threat-hunting:

1. Visibility Query - Azure Users Without MFA - This query can be found on Axon's GitHub.
Link - https://github.com/axon-git/rapid-response/blob/main/fasthttp_bruteforce_campaign/azure_users_without_mfa.sql

2. Hunting Query - Successful login attempt made by the FastHTTP User agent - This query can be found on Axon's GitHub.
Link - https://github.com/axon-git/rapid-response/blob/main/fasthttp_bruteforce_campaign/fasthttp_bruteforce_campaign.sql

3. Custom Detector Recommendation - Configuration suggestions by our team to create a detector for this campaign.

In addition, Axon reports had been published to Team Axon customers.
In those reports, you can also find updated deliverables list (threat hunting, visibility queries and custom detector recommendation).

The team is still tracking the campaign and will publish an update in case needed.
If you have any questions, please do not hesitate to reach out to us.

Sincerely,
Team Axon.
Posted Jan 16, 2025 - 17:07 UTC

Identified

Dear Customers,

Team AXON is aware of an ongoing brute-force campaign leveraging the FastHTTP library, targeting Azure Active Directory Graph API. Fasthttp is a high-performance HTTP server and client library for the Go programming language, designed to handle HTTP requests more efficiently than Go’s standard net/http package.

The campaign poses significant risks to systems that rely on default or weak authentication methods, highlighting the importance of robust password policies and MFA. Our team has initiated a targeted investigation to identify potential IOCs related to this campaign. If any critical findings are discovered that require immediate attention, we will promptly inform you.


An AXON report detailing our findings, mitigation strategies, and recommended actions will be shared with all AXON customers following the conclusion of our Rapid Response efforts.

If you have any questions or concerns, please do not hesitate to contact us.

Sincerely,
Team AXON
Posted Jan 16, 2025 - 09:24 UTC
This incident affected: Rapid Response.