In a concerning new development in the cybersecurity landscape, a massive Chinese botnet is currently targeting Microsoft 365 (M365) accounts through sophisticated password spraying attacks, effectively bypassing Multifactor Authentication (MFA). The botnet, which SecurityScorecard has identified as comprising over 130,000 compromised devices, is using stolen credentials from infostealer accounts to gain access to sensitive data, emails, and collaboration tools. These attacks impact a wide range of industries, including financial services, healthcare, government, and technology providers. The attackers are not only stealing data but are also leveraging the compromised accounts for lateral movement within networks, which includes carrying out internal phishing operations and causing essential business disruptions by triggering account lockouts due to repeated failed login attempts.
Attribution and Infrastructure
The attackers behind this botnet have been attributed to a Chinese-affiliated group, based on the link between the botnet’s infrastructure and entities such as CDS Global Cloud and UCLOUD HK, which have operational ties to China. The sophisticated botnet relies on command-and-control (C2) servers, which are hosted by SharkTech, a United States-based provider known to have a history of facilitating malicious activities. This connection provides the attackers with a reliable and previously trusted framework to orchestrate their extensive network of compromised devices effectively and evade typical detection measures. By leveraging such infrastructure, the botnet is able to maintain operational flexibility and resilience against takedown efforts.
One of the most troubling aspects of this botnet is its sophisticated ability to bypass MFA and potentially Conditional Access Policies (CAP). It achieves this by logging login events in Non-Interactive Sign-In logs, which are delegated sign-ins performed by client apps or operating system components on behalf of a user without requiring authentication factors. This method effectively prevents the triggering of MFA alerts and often goes unnoticed. Many organizations unfortunately overlook these non-interactive sign-ins, which leaves them particularly vulnerable to high-volume password spraying attacks. As this tactic becomes more prevalent, it highlights significant gaps in current security policies and necessitates the adoption of more robust monitoring and security measures.
Strategic Response and Mitigation
To counter these advanced threats, it is crucial for organizations to reassess their security postures and adopt several recommended measures. These include implementing more stringent access policies based on geolocation and device compliance, creating conditional access policies to limit non-interactive login attempts, and rigorously reviewing Non-Interactive Sign-In logs for unauthorized access. Additionally, disabling legacy authentication protocols that are more susceptible to these kinds of attacks, monitoring for leaked credentials, and swiftly resetting compromised accounts are essential steps to bolster defenses against these advanced botnet activities.
Boris Cipot of Black Duck underlines that the tactics used by this botnet represent significant advancements compared to previous methods of attack. Utilizing non-interactive sign-ins, attackers avoid triggering the more common security alerts that identify failed logins. Thus, it becomes imperative for organizations to close these authentication monitoring gaps and enhance their overall security measures to effectively combat the evolving threat posed by these botnets. By staying ahead of these tactics, organizations can better protect their M365 accounts and the sensitive data they house from unauthorized access and potential exploitation.
Enhancing Security and Monitoring
The botnet in question has been linked to a Chinese-affiliated group through its connections with infrastructure entities like CDS Global Cloud and UCLOUD HK, which have ties to China. This advanced botnet operates using command-and-control (C2) servers hosted by SharkTech, a U.S.-based provider notorious for supporting malicious activities. These connections offer the attackers a robust and reliable framework to manage their network of compromised devices while evading standard detection measures. This use of trusted infrastructure ensures the botnet’s operational flexibility and resilience against takedown efforts.
A significant concern with this botnet is its advanced capability to bypass Multi-Factor Authentication (MFA) and possibly Conditional Access Policies (CAP). It accomplishes this by logging login events in Non-Interactive Sign-In logs. These logins are delegated sign-ins conducted by client apps or operating systems on a user’s behalf without needing authentication factors, thus avoiding MFA alerts and often going unnoticed. Many organizations overlook these non-interactive sign-ins, leaving them susceptible to high-volume password spraying attacks. This tactic underscores critical gaps in security policies and highlights the need for stronger monitoring and security measures.