Cyber security researchers have highlighted a new account takeover (ATO) campaign that takes advantage of an open-source testing structure called teamfility, which is to dissolve user accounts.
Activity, coding Unk_sneakystrike By proofpoint, more than 80,000 targeted user accounts have been affected in cloud tenants of hundreds of organizations as December 2024 saw an increase in login efforts, leading to a successful account acquisition.
The Enterprise Security Company said, “The attackers took advantage of the Microsoft teams API and Amazon Web Services (AWS) server, located in various geographical areas, which is to launch user-enhancement and password-making efforts.” “The attackers exploited access to specific resources and indigenous applications, such as Microsoft teams, ONEDRIVE, Outlook and others.”
Teamfiltration, publicly released by researcher Melvin “Flangvik” Langvik, at the Def Con Security Conference in August 2022, described as “Enumerating, Spraying, Exfility, and Backdoring” as a cross-platform framework for “Entra ID accounts”.
The tool has provided comprehensive capacity to facilitate account acquisition using persistent access by uploading malicious files to the Microsoft Onedrive account of password sprays, data exfIs, and targets.
While the tool requires an Amazon web services account and a disposable Microsoft 365 account to facilitate password spraying and account calculations,
Three primary sources geographicals associated with malicious activity based on the number of IP addresses include the United States (42%), Ireland (11%), and Great Britain (8%).
Unk_sneakystrike activity has been described as a “large -scale user calculation and password spraying efforts”, with unauthorized access efforts in “highly concentrated burst” targeting several users within a single cloud environment. This is followed by a lulla which lasts for four to five days.
The conclusions once again reveal how the devices designed to help cyber security professionals can be misused, which can be done by danger actors to complete a wide range of nefarious tasks that allow them to dissolve user accounts, harvest sensitive data and install constant footholds.
“Unk_sneakystrike’s targeting strategy suggests that they attempt to reach all user accounts within small cloud tenants, while only focuses on the most users in big tenants,” said the proofpoint. “This behavior matches the advanced target acquisition features of the tool, designed to filter less desirable accounts.”
