Researchers discovered a new threat targeting systems utilizing the Go programming language’s fasthttp library, which is renowned for its high-performance HTTP capabilities and has been exploited.
The attackers are likely leveraging vulnerabilities in the fasthttp library to compromise systems, potentially leading to data breaches, service disruptions, and other malicious activities.
fasthttp framework identified as a potential threat vector as analysis reveals it’s being exploited to compromise Azure Active Directory accounts through brute-force attacks and MFA exhaustion.
The Azure Active Directory Graph API (Application ID: 00000002-0000-0000-c000-000000000000) is the target of an attack through the utilization of the fasthttp user agent.
This malicious activity was first observed on January 6th, 2025, across a significant number of Microsoft 365 tenants and highlights the urgent need for enhanced security measures to mitigate these attacks.
Analysis of SpearTip and Managed SaaS Alerts Team data reveals that 65% of agent-related traffic originates from Brazil, utilizing a wide array of Autonomous System Numbers (ASNs) and IP addresses.
The countries of Turkey, Argentina, Uzbekistan, Pakistan, and Iraq each make a modest contribution, which roughly amounts to two to three percent.
The investigation into the fasthttp-related threat revealed a high rate of authentication failures (41.53%), primarily due to incorrect credentials and was further exacerbated by account lockouts (20.97%) triggered by brute-force attacks.
Conditional access violations, which accounted for 17.74% of all violations, were frequently originating from South America and indicated attempts to circumvent security policies.
MFA authentication failures (10.08%) suggested difficulties in bypassing multi-factor authentication mechanisms and also successful authentications from unexpected locations (9.68%) highlighted potential account compromises.
The PowerShell script, which is available for download with a provided SHA1 checksum for verification, generates console output and creates an output file upon detection of the “fasthttp” user agent.
It assists IT administrators in identifying potential security incidents related to the “fasthttp” user agent, which may be associated with malicious activity.
Upon successful authentication or failed MFA/Conditional Access attempts with valid credentials, immediately expire all user sessions and reset their passwords.
Thoroughly review all MFA devices linked to potentially compromised accounts. Remove and re-add any suspicious or unauthorized devices to prevent further unauthorized access.
Once the fasthttp user agent has been identified and authentication has been completed successfully, incident response protocols should be initiated automatically.
Reset compromised user credentials and thoroughly verify and manage associated MFA devices. Continuously monitor user settings and permissions for any unauthorized modifications indicative of potential further compromise.
