On January 13, the SpearTip Security Operations Center, in collaboration with Managed SaaS Alerts, uncovered a sophisticated cyber campaign utilizing the fasthttp library—a high-performance HTTP server and client library for Go. Designed for superior throughput and reduced latency, fasthttp is now being exploited in brute-force login attempts and multi-factor authentication (MFA) spamming attacks targeting Azure Active Directory environments.
This campaign has specifically targeted the Azure Active Directory Graph API (Application ID: 00000002-0000-0000-c000-000000000000), with the first traces of the fasthttp user agent being detected on January 6, 2025. SpearTip’s analysis reveals that attackers are leveraging this library to amplify the volume and efficiency of their requests.
“The fasthttp framework is being used to gain unauthorized access to accounts through brute-force login attempts and spamming multi-factor authentication (MFA) requests,” the report states. The attackers’ objective appears to be overwhelming security mechanisms to bypass protections and compromise user accounts.
Approximately 65% of the malicious traffic associated with fasthttp originates from Brazil, with additional activity detected from countries including Turkey, Argentina, Uzbekistan, Pakistan, and Iraq, each contributing 2–3% of the observed traffic.
The report provides a detailed summary of attack patterns and outcomes:
- Authentication Failures: 41.53% of attempts failed due to incorrect credentials.
- Account Lockouts: 20.97% resulted in lockouts triggered by brute-force protection policies.
- Conditional Access Violations: 17.74% occurred when login attempts breached geo-restrictions or compliance requirements, particularly from South America.
- MFA Failures: 10.08% of attempts involved failed MFA, suggesting attackers were spamming requests or unable to bypass these mechanisms.
- Successful Authentications from Unusual Locations: 9.68% of login attempts succeeded but originated from unauthorized geographic areas.
To mitigate this threat, SpearTip recommends investigating potential indicators of compromise through Entra ID sign-in logs in the Azure Portal. Administrators are advised to filter by the “fasthttp” user agent under the “Other Clients” category. The report also includes a PowerShell script developed by SpearTip, which simplifies the detection of fasthttp-related activity in audit logs.
If investigations confirm compromised accounts, immediate action is critical:
- Expire all user sessions and reset credentials.
- Review and secure MFA devices associated with affected users.
- Reconfigure MFA devices to prevent unauthorized additions by threat actors.
Related Posts:
- Phishing Campaign Bypasses MFA to Target Meta Business Accounts, Putting Millions at Risk
- FBI, CISA, NSA Warn of Iranian Cyberattacks on Critical Infrastructure
