fasthttp

fasthttp Used in New Bruteforce Campaign

Djurre (DJ) Hoeksema, James Rigdon, and Benjamin Jones| January 13th, 2025

Fasthttp User Agent

On January 13th, the SpearTip Security Operations Center, in collaboration with the Managed SaaS Alerts team, identified an emerging threat leveraging the fasthttp library. Fasthttp is a high-performance HTTP server and client library for the Go programming language, designed to handle HTTP requests more efficiently than Go’s standard net/http package. It offers improved throughput and lower latency, particularly under high load.

The SpearTip Security Operations Center suspects the fasthttp framework is being used to gain unauthorized access to accounts through brute-force login attempts and spamming multi-factor authentication (MFA) requests. All observed attempts have targeted the Azure Active Directory Graph API (Application ID: 00000002-0000-0000-c000-000000000000). Data analyzed from a large set of Microsoft 365 tenants indicates that fasthttp was first observed as a user agent on January 6th, 2025.

Geo Location Data

Analysis of data sets from SpearTip and the Managed SaaS Alerts Team indicates that 65% of the traffic associated with the agent originates from Brazil, leveraging a diverse range of ASN providers and IP addresses. Other source countries include Turkey, Argentina, Uzbekistan, Pakistan, and Iraq, each contributing approximately 2–3% of the observed traffic. A detailed list of ASN providers and IP addresses is available in Appendix A under the IOCs section.

Observed Activity Rates

The table below provides a detailed summary of activity types observed during the investigation of the fasthttp-related threat:

Activity TypeObserved RateInsights
Authentication Failures41.53%Represents unsuccessful login attempts, using incorrect credentials.
Accounts Locked Due to Brute-Force Attempts20.97%Account lockouts triggered by protection policies
Conditional Access Violations17.74%These violations occur when login attempts fail conditional access policies, such as geo-restrictions or device compliance requirements. Often triggered by traffic primarily coming from South America
MFA Authentication Failures10.08%Failed attempts to complete multi-factor authentication indicate that attackers are likely spamming MFA requests or unable to bypass MFA mechanisms.
Successful Authentication – Outside Expected Location9.68%These are instances where attackers successfully authenticated but from unusual or unauthorized geographical locations.

Investigation and Remediation Guidance

IT staff can quickly check for potential indicators of compromise by reviewing Entra ID Sign-in logs via the Azure Portal.

Steps to Investigate

  1. Log in to the Azure Portal.
  2. Navigate to Microsoft Entra IDUsersSign-in Logs.
  3. Apply the filter Client app: “Other Clients”.

Note: While this filter may return false positives, the “User Agent” field under Basic Information in the logs can be reviewed for confirmation, the user agent will be “fasthttp.”

You can also perform an audit log search in Microsoft Purview using the keyword “fasthttp” to identify related activity.

PowerShell Script

The SpearTip Security Operations Center has released a PowerShell script for IT administrators to check for the presence of the fasthttp user agent in audit logs. The script can be downloaded here:

SHA1 Checksum: 9A04F339E95010FFB16049072C6033E7B8D4E014

The script generates console output and creates an output file in the directory where it was executed if the fasthttp user agent is detected.

Remediation Steps

If investigations reveal successful authentication or failed MFA and or Conditional access logs where the password and username where correct:

  1. Expire user sessions and reset user credentials immediately.
  2. Review MFA devices associated with potentially compromised users.
  3. Remove and re-add MFA devices as needed, as Threat Actors may add unauthorized devices.

How SpearTip Has Responded

SpearTip has taken the following actions to address the threat:

  • Verified the presence of the fasthttp user agent across all SpearTip clients and notified affected clients.
  • Shared indicators of compromise (IOCs) with the Managed SaaS Alerts Team to help safeguard their clients.
  • Created and deployed a SaaS Alerts Respond rule to automatically remediate activity linked to the fasthttp user agent. This rule has been shared with the SaaS Alerts Saa$y community.

Incident Response Recommendations

If the fasthttp user agent is detected in your environment and successful authentication is confirmed, follow your established incident response procedures immediately. Key recommendations include:

  • Resetting credentials for affected users.
  • Verifying and managing associated MFA devices.
  • Monitoring for unauthorized changes in user settings or permissions.

For assistance with investigation and remediation, the SpearTip Incident Response team is available at [email protected] or via the SpearTip Breach Hotline at 833.977.7327.

fasthttp

fasthttp Used in New Bruteforce Campaign

Djurre (DJ) Hoeksema, James Rigdon, and Benjamin Jones| January 13th, 2025

Fasthttp User Agent

On January 13th, the SpearTip Security Operations Center, in collaboration with the Managed SaaS Alerts team, identified an emerging threat leveraging the fasthttp library. Fasthttp is a high-performance HTTP server and client library for the Go programming language, designed to handle HTTP requests more efficiently than Go’s standard net/http package. It offers improved throughput and lower latency, particularly under high load.

The SpearTip Security Operations Center suspects the fasthttp framework is being used to gain unauthorized access to accounts through brute-force login attempts and spamming multi-factor authentication (MFA) requests. All observed attempts have targeted the Azure Active Directory Graph API (Application ID: 00000002-0000-0000-c000-000000000000). Data analyzed from a large set of Microsft 365 tenants indicates that fasthttp was first observed as a user agent on January 6th, 2025.

Geo Location Data

Analysis of data sets from SpearTip and the Managed SaaS Alerts Team indicates that 65% of the traffic associated with the agent originates from Brazil, leveraging a diverse range of ASN providers and IP addresses. Other source countries include Turkey, Argentina, Uzbekistan, Pakistan, and Iraq, each contributing approximately 2–3% of the observed traffic. A detailed list of ASN providers and IP addresses is available in Appendix A under the IOCs section.

Observed Activity Rates

The table below provides a detailed summary of activity types observed during the investigation of the fasthttp-related threat:

fasthttp tsble

Investigation and Remediation Guidance

IT staff can quickly check for potential indicators of compromise by reviewing Entra ID Sign-in logs via the Azure Portal.

Steps to Investigate

  1. Log in to the Azure Portal.
  2. Navigate to Microsoft Entra IDUsersSign-in Logs.
  3. Apply the filter Client app: “Other Clients”.
Note: While this filter may return false positives, the “User Agent” field under Basic Information in the logs can be reviewed for confirmation, the user agent will be “fasthttp.” You can also perform an audit log search in Microsoft Purview using the keyword “fasthttp” to identify related activity.

PowerShell Script

The SpearTip Security Operations Center has released a PowerShell script for IT administrators to check for the presence of the fasthttp user agent in audit logs. The script can be downloaded here: SHA1 Checksum: 9A04F339E95010FFB16049072C6033E7B8D4E014 The script generates console output and creates an output file in the directory where it was executed if the fasthttp user agent is detected.

Remediation Steps

If investigations reveal successful authentication or failed MFA and or Conditional access logs where the password and username where correct:
  1. Expire user sessions and reset user credentials immediately.
  2. Review MFA devices associated with potentially compromised users.
  3. Remove and re-add MFA devices as needed, as Threat Actors may add unauthorized devices.

How SpearTip Has Responded

SpearTip has taken the following actions to address the threat:
  • Verified the presence of the fasthttp user agent across all SpearTip clients and notified affected clients.
  • Shared indicators of compromise (IOCs) with the Managed SaaS Alerts Team to help safeguard their clients.
  • Created and deployed a SaaS Alerts Respond rule to automatically remediate activity linked to the fasthttp user agent. This rule has been shared with the SaaS Alerts Saa$y community.

Incident Response Recommendations

If the fasthttp user agent is detected in your environment and successful authentication is confirmed, follow your established incident response procedures immediately. Key recommendations include:
  • Resetting credentials for affected users.
  • Verifying and managing associated MFA devices.
  • Monitoring for unauthorized changes in user settings or permissions.
For assistance with investigation and remediation, the SpearTip Incident Response team is available at [email protected] or via the SpearTip Breach Hotline at 833.977.7327.

Categories

Connect With Us

Featured Articles

building cyber resilience
Building cyber resilience within the evolving global supply chain
27 January 2025
Cybersecurity Checklist
Cybersecurity Checklist for PowerSchool Breach
24 January 2025
fasthttp
fasthttp Used in New Bruteforce Campaign
13 January 2025
Deepfake Fraud
Combating Deepfake Fraud is a Growing Challenge for Organizations
10 January 2025

See ShadowSpear in Action

Identify, neutralize, and counter cyberattacks - provide confidence in your security posture

Appendix A

ASN Providers

Administracion Nacional de Telecomunicaciones
Afribone Mali SA
Alcans Telecom LTDA
Algar Telecom S a
All Conecta Internet LTDA Me
Allrede Telecom Alta REDE Corporate Network Telecom LTDA EPP
Athena Telecomunic O LTDA
Aztelekom LLC
Batelco Jordan
Bi Link Telecom
Boa Vista Net LTDA Me
BOCA ROJA S.A
Brisanet Servicos de Telecomunicacoes S.A
CALU Telecom
Camoa Servi Os Telecom LTDA
CJSC Vainah Telecom
Claro NXT Telecomunicacoes LTDA
Cloud Telecom Eireli Conecta LTDA
Conecta Telecom LTDA
Correa E Rodrigues Telecom LTDA
Coscom Liability Limited Company
Desktop Sigmanet Comunica O Multim DIA SA
Digicel Jamaica
Digital Fibra Optica Eireli
Dotsis Network
DTEL Telecom
E.serv Informatica E Tecnologia LTDA
Edge Speed
Emirates Telecommunications Group Company PJSC
F.B Babeto Me
F.j.fantini Amparo Me
Fiber One Telecomunica Es Eireli
Fibinet Networks Telecomunicacoes LTDA
Fibranet Telecom
Finstar Sociedade de Investimento E Participacoes S.A
Flow
Fox Servicos de Comunicacao Multimidia LTDA
G & S Infornet Provedor de Internet Eireli
G6 Internet
Ggnet Telecom Backbone
GOX Internet
Henet Telecomunicacoes LTDA
Hot Net Internet Services Ltd
Hr Transportes Verticais IBL Telecom
Intermicro LTDA
Interouro Telecom
Intersoft Internet Software Eireli
iPlus LLC
Ir Tecnologia
J.r.da Silva Telecom Me
JL Informatica E Telecom LTDA Me
Jordan Data Communications Company LLC
Jordan Telecommunications PSC
Juniornet Servico de Comunicacao
Lanservi Tecnologia
Lemax Internet
Ligga Telecomunica Es S.A Localnet Sc
Los Amores S.A
M2 Telecomunica O
Malugainfor Com RCIO de Produtos de Inform TICA Lt
MAXI Cable C.A
MCS Com Co Ltd
MDS Telecom C.A
Meditelecom
MEGA Cable S.A de C.V
Mhnet Telecom
Miranda Media Ltd
Monte Alto Net LTDA
MTN SA
Multacom Corporation
Mundial Telecomunicacao LTDA Me
Net Info Informatica LTDA
Net Rosas Telecomunica Es LTDA
Netflux Internet
Netstar SOLU Es LTDA
Netstart Multimidia E Comunicacao LTDA
Network Servicos de Informatica LTDA
Newnet Tecnologia E Projetos LTDA
Next Provedores Acesso LTDA Me
NG Telecom
Niptelecom Telecomunicacoes LTDA
Oman Telecommunications Company
Omani Qatari Telecommunication Company SAOC
OOO Post Ltd
Ooredoo Tunisie SA
Opera Servicos de Telecom Eireli
Opstelecom Servi O Em Telecomunica Es LTDA
Orange Tunisie
Pacifico Cable Spa
Pakistan Telecommuication Company Limited
Palestine Telecommunications Company
Partners Telecom Colombia SAS
Petranet Internet LTDA
PJSC Moscow City Telephone Network
Prime Networks
Prime System Telecom
Real Link Provedor de Internet Eireli
Ripe NCC ASN Block
S O Do Brasil Telecomunica Es LTDA Me
S O Miguel Telecomunica Es E Informatica LTDA M
S.u.e DPR Republic Operator of Networks
Satnet
Satynet Telecom LTDA Me
Sea Telecom LTDA
Sellnet Telecom
Sempre Telecomunicacoes LTDA
Servitractor S.A
Sidnet Telecom
Sisalweb Internet
Speed Conecte Servicos de Internet LTDA Me
Starnet Comunicacao Multimidia LTDA Me
STOK Info Telecom LTDA Me
Sulnet Telecom
Sumicity Telecomunicacoes S.A Sunway Telecom LTDA
Super Sonic Telecom LTDA
TCF Telecomunica Es Campo Florido LTDA
TE as
Tecnoven Services Ca
Telecentro S.A
Telecom Algeria
Telecom Argentina S.A
Telef NICA Brasil S.A
Telefonica de Argentina
Telefonica del Peru S.a.a
Telkom SA Ltd
TERA Fiber Telecomunica Es LTDA
Tim S a
Tinasnet Servicos E Acessos a Internet LTDA
Top Comunications Estegia C.A
Topnet Ms LTDA Me
Ttnet A.S
Turk Telekomunikasyon Anonim Sirketi
Turkiyem Net Iletisim VE Telekomunikasyon Hizmetleri A.S
Ufinet Panama S.A
Unifique Telecomunicacoes S a
Uninet
Uzbektelekom Joint Stock Company
V TAL VERO S.A
Vetorialnet INF E Servi Os de Internet LTDA
Victor Telecom LTDA Me
Vildonet Telecom
Vip Br Telecom S.A
Visio Telecom
Vivas Network LTDA Me
Vodafone Net Iletisim Hizmetler as
Voltec Servi O de Automa O Telecom
VOX Telecom Ltd

IP Addresses

2800:a4:1d15:dd00:1877:abd5:2349:a3d3
41.203.200.4
177.200.77.201
191.55.80.178
192.141.115.156
45.224.199.103
138.94.176.96
177.84.239.204
187.95.45.76
177.11.78.177
212.47.141.80
109.107.231.31
177.221.105.182
45.176.145.147
45.175.143.213
187.19.243.255
187.19.149.91
45.164.146.22
45.230.194.249
188.0.169.172
177.35.226.95
187.183.36.188
177.32.202.169
177.80.37.32
187.39.84.200
189.32.171.33
191.180.60.196
191.186.188.26
189.127.131.203
179.108.201.109
186.235.63.51
179.48.219.223
188.113.206.218
179.125.245.147
69.160.124.143
177.67.185.184
103.12.78.198
177.223.22.30
177.66.253.68
103.138.191.53
176.205.95.252
138.0.140.197
170.246.83.22
45.230.165.251
179.189.83.213
168.228.190.156
129.122.216.222
207.204.103.118
179.49.254.248
70.245.127.197
186.250.206.18
177.75.168.40
177.185.249.208
167.249.188.26
5.29.23.205
45.234.214.106
160.20.162.170
168.121.40.44
45.171.30.5
177.44.137.149
94.158.55.117
143.255.205.133
45.178.137.152
168.195.2.40
86.108.16.44
212.34.12.230
168.90.147.66
143.208.128.38
201.182.161.93
177.92.51.187
177.67.165.43
186.148.235.110
45.188.181.194
45.190.6.55
38.255.72.145
66.181.190.31
38.41.18.51
102.97.188.108
177.247.110.207
170.247.192.165
177.73.189.17
188.114.193.194
170.83.211.133
41.209.57.166
154.208.32.198
45.234.3.153
45.231.30.241
186.236.227.28
201.182.168.88
131.100.197.52
45.239.254.33
45.181.160.64
45.183.93.36
45.228.170.148
191.242.246.220
187.110.145.212
37.40.90.184
37.40.227.131
37.40.228.170
5.21.88.200
5.133.78.182
196.179.187.114
177.126.233.78
45.190.31.146
196.239.52.189
179.60.75.224
39.37.162.239
39.52.106.138
45.117.40.248
179.19.218.235
131.161.14.108
109.252.62.109
103.134.3.142
201.148.182.125
168.232.47.29
37.236.233.17
37.237.91.19
37.237.125.224
46.239.6.235
169.224.4.239
169.224.8.38
189.84.176.64
167.250.72.163
185.253.42.120
186.68.120.239
186.69.140.46
45.233.38.172
170.82.181.59
181.192.116.55
191.5.45.198
200.24.133.79
45.177.10.166
177.86.24.90
164.163.60.229
177.92.149.0
45.171.128.239
177.23.13.9
177.131.189.149
200.7.112.11
45.6.30.149
179.127.158.18
156.215.99.95
38.51.207.93
181.45.214.124
197.203.243.91
201.213.5.134
191.204.201.172
177.96.149.80
177.98.38.62
177.204.178.140
179.98.170.249
179.116.87.12
179.162.243.207
179.228.59.196
187.59.23.11
189.18.47.19
191.34.199.203
191.193.151.229
186.130.89.93
190.43.154.239
41.147.3.72
45.226.139.132
177.30.103.97
179.34.32.242
177.125.126.252
161.22.34.142
160.19.247.198
81.213.87.85
78.173.128.51
78.190.180.228
88.241.92.28
185.17.137.6
181.78.101.153
177.74.211.178
186.249.198.204
87.224.39.194
189.153.217.34
84.54.71.23
84.54.73.19
213.230.92.95
191.222.142.50
200.215.30.134
152.234.132.79
179.199.61.28
186.241.29.202
187.126.30.243
189.106.252.11
189.107.115.99
200.103.20.40
200.103.227.144
200.149.196.83
200.216.16.171
45.164.7.219
45.166.204.24
128.201.1.9
177.129.25.164
177.184.110.129
179.189.147.249
170.81.201.161
200.108.174.160
177.125.174.242
192.145.197.157
177.124.14.181
212.12.159.161
168.232.247.153
102.39.38.9

Stay Connected With SpearTip

inside the soc

Inside the SOC Newsletter

View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.
shadowspear platform

ShadowSpear Platform

Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.
shadowspear demo

ShadowSpear Demo

Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.