Hackers exploit a high speed Go library to target Microsoft 365 accounts worldwide. North Korea's Lazarus Group lures developers with AI enhanced job and 15, 000 FortiGate devices exposed as hackers leak sensitive VPN credentials and configurations. This is Cybersecurity Today. I'm your host, Jim Love. Threat actors are using the fast HTTP go library to launch high speed brute force password attacks on Microsoft 365 accounts worldwide.
Detected by incident response firm SpearTip, this campaign began on January 6th and primarily targets the Azure Active Directory version. Graph API. Fast HTTP, a high performance HTTP library for the Go programming language, is being exploited to automate unauthorized login attempts. Attackers are also leveraging multi factor authentication fatigue tactics, bombarding users with repeated MFA challenges, To gain access.
An investigation revealed that 65 percent of the attack traffic originates from Brazil with significant activity from Turkey, Argentina and other countries. While most attacks fail or are blocked, a concerning 9. 7 percent successfully authenticate, underscoring the risks of account takeovers. Speartip has issued guidance, including a PowerShell script, to detect the FastHTTP user agent in logs.
Administrators should immediately reset compromised accounts, review authorized MFA devices, and follow indicators of compromise outlined in the report. This campaign highlights the importance of enforced MFA policies and vigilant monitoring to protect your sensitive data. You can read more in Speartip's full report. There's a link in the show notes. North Korea's Lazarus, an advanced persistent threat group, is once again using clever tricks to target developers looking for jobs.
Their latest campaign, dubbed Operation 99, disguises attackers as recruiters on LinkedIn offering lucrative job opportunities. The goal? To trick freelance software developers into cloning malicious Git repositories loaded with malware. Now, this isn't Lazarus's first foray into job scams. Previous campaigns like Operation Dream Job in 2021 and Dev Hashtag Popper have exploited job seekers, but researchers note that Operation 99 takes things to a new level.
They have AI generated recruiter profiles combined with compromised LinkedIn accounts, which make these scams highly convincing. According to Ryan Schertz to Bitov, the senior VP of threat research for a firm called Security Scorecard by presenting complete and convincing profiles attackers offer what seems to be genuine job opportunities. Now, once developers clone the malicious repositories, malware names like Main99 and Payload9973 spring into action.
, they steal source code, cryptocurrency wallet keys, and other sensitive data. The malware also works across operating systems, targeting Windows, MacOS, and Linux with tools for key logging, clipboard monitoring, and credential theft. Experts warn developers to treat job offers involving repository cloning or software downloads with caution. As Schurztebickoff puts it, if a job opportunity seems too good to be true, it likely is.
employers are urged to reinforce social engineering awareness and emphasize cybersecurity best practices to guard against these sophisticated attacks. A new hacking group known as the Belson Group has leaked sensitive data from over 15, 000 FortiGate devices. The stolen information published on the dark web includes VPN credentials, private keys, and firewall configurations, exposing organizations to serious risks.
This breach reportedly stems from attacks in 2022 that exploited a zero day vulnerability in FortiOS firmware. The flaw, tracked as CVE 2022 4684, allowed attackers to access device configurations and create rogue superadmin accounts. Despite Fortinet releasing a patch in October 2022, many devices remain unpatched or misconfigured, making them vulnerable even now. What makes this leak particularly dangerous is how organized the stolen data is.
The files sorted by country and device IP address provide a blueprint for cyber criminals to penetrate networks. Cyber security expert Kevin Beaumont confirmed the authenticity of the data warning that it poses a renewed threat. the data appears to have been assembled in October 2022, but it's released now makes it a ticking time bomb. This isn't the first time Fortinet has been targeted. In 2021, nearly 500, 000 VPN credentials were exposed in another attack.
Organizations using FortiGate devices are urged to act immediately. Beaumont plans to release a list of impacted IPs to help administrators determine if they're at risk. In the meantime, administrators should reset credentials, update firmware, and conduct a thorough review of configurations to ensure their networks are secure. And that's our show for today. You can reach me with tips, comments, and even the occasional constructive criticism at editorial at technewsday.
ca. I'm your host, Jim Love. Thanks for listening.