Introduction to fasthttp and Its Impact on Microsoft Entra Users
Fasthttp is a high-performance HTTP server and client library for the Go programming language. Designed for efficiency, fasthttp offers improved throughput and lower latency compared to Go’s standard net/http package. While fasthttp is a valuable tool for legitimate applications, threat actors have begun exploiting its capabilities to execute brute-force login attempts and spam multi-factor authentication (MFA) requests. These malicious activities pose a significant risk to Microsoft Entra users, particularly through unauthorized access and compromised account security.
A successful cyberattack could result in unauthorized access to company accounts, which could compromise company or client data, and lead to business interruption or account lockouts.
Background on fasthttp Threat
On January 13th, 2025, the cyber counterintelligence firm SpearTip’s Managed SaaS Alerts team identified a growing threat leveraging the fasthttp library. Fasthttp has been observed as a tool for malicious activity, including brute-force login attempts and MFA spamming.
Key Details
- Targeted Resource: Azure Active Directory Graph API (Application ID: 00000002-0000-0000-c000-000000000000).
- First Observation: January 6th, 2025.
- Primary Geo Locations: 65% of traffic originates from Brazil, with other significant contributions from Turkey, Argentina, Uzbekistan, Pakistan, and Iraq (2-3% each).
- Activity Rates:
- Authentication Failures: 41.53%
- Accounts Locked Due to Brute-Force Attempts: 20.97%
- Conditional Access Violations: 17.74%
- MFA Authentication Failures: 10.08%
- Successful Authentication Outside Expected Location: 9.68%
Investigation and Remediation Guidance for Potential Indicators of Compromise
IT staff can quickly check for potential indicators of compromise (IoC) by reviewing Entra ID Sign-in Logs in the Azure Portal. The recent emergence of threats leveraging the fasthttp library highlights the need for vigilance. This article incorporates additional context from the latest findings by SpearTip Security Operations Center and Managed SaaS Alerts Team.
Steps to Investigate
- Log in to the Azure Portal.
- Navigate to: Microsoft Entra ID → Users → Sign-in Logs.
- Apply the Filter: “Client app: Other Clients.”
Note: This filter may return false positives. Confirm by reviewing the User Agent field under Basic Information in the logs. If malicious, the user agent will be “fasthttp.” - Perform an Audit Log Search: Use the keyword “fasthttp” in Microsoft Purview to identify related activity.
Using the PowerShell Script
The SpearTip Security Operations Center has released a PowerShell script to help IT administrators detect the fasthttp user agent in audit logs. The script can be downloaded using the link below:
- Download: Download Script
- SHA1 Checksum: 9A04F339E95010FFB16049072C6033E7B8D4E014
Functionality:
- Generates console output.
- Creates an output file in the execution directory if the fasthttp user agent is detected.
Remediation Steps
If investigations reveal successful authentication or failed MFA and/or Conditional Access logs indicating correct credentials:
- Expire user sessions and reset user credentials immediately.
- Review MFA devices associated with potentially compromised accounts.
- Remove and re-add MFA devices to mitigate unauthorized device additions by threat actors.
Incident Response Recommendations
If the fasthttp user agent is detected and successful authentication is confirmed, follow your established incident response procedures immediately. Key actions include:
- Resetting credentials for affected users.
- Verifying and managing associated MFA devices.
- Monitoring for unauthorized changes in user settings or permissions.
Conclusion
The fasthttp library’s misuse in brute-force and MFA-spamming attacks underscores the importance of continuous monitoring and quick remediation. By leveraging tools like Entra ID Sign-in Logs and the provided PowerShell script, IT administrators can swiftly identify and address potential compromises. Proactive measures, including resetting user credentials and managing MFA devices, are essential to mitigating this evolving threat.
For further assistance, contact SpearTip Security Operations Center or your incident response team. Speartip: https://www.speartip.com/