HTTP clients, tools used to send and receive requests on the web, have become one of the primary weapons for cybercriminals to take over accounts. A recent report from Proofpoint reveals that, in the second half of 2024, 78% of Microsoft 365 users experienced at least one account takeover attempt through these applications.
Tools within Reach of Attackers
HTTP clients, such as OkHttp, Axios, or Node Fetch, are widely used by developers to conduct testing and manage connections with servers. However, these tools have also been exploited by malicious actors who repurpose them from public repositories to carry out brute force and adversary-in-the-middle (AiTM) attacks.
Since 2018, these methods have evolved, and by 2024, an increase in the diversity of HTTP clients used has been identified. While variants of OkHttp dominated in the early months of the year, a growing use of alternatives like Axios and Node Fetch was observed in March, facilitating high-speed attacks against cloud accounts.
Sophisticated Attacks with High Success Rates
Although most account takeover attempts based on HTTP clients are brute force attacks with low success rates, Proofpoint has identified highly effective campaigns. A notable case is the Axios client, which, when combined with AiTM techniques, has achieved a monthly success rate of 38%. This tool can intercept, transform, and cancel traffic, facilitating the theft of credentials and access tokens.
Among the main targets of these attacks are executives, financial managers, and operational personnel in strategic sectors such as transportation, construction, finance, IT, and healthcare. According to the report, between June and November 2024, more than 51% of targeted organizations were attacked, with 43% of accounts compromised.
Evolution and Trends in HTTP Client Attacks
In recent months, cybercriminals have refined their tactics by incorporating distributed infrastructure and hijacked IP networks to reduce their exposure and evade detection. A massive brute force campaign using Node Fetch has been identified, characterized by its high speed and distribution of access attempts. Since June 2024, more than 13 million fraudulent login attempts have been recorded, averaging 66,000 attempts daily.
Additionally, in August 2024, a Go Resty-based variant emerged, an HTTP client for Go that allowed for even more diversified attacks. However, this tactic decreased in October, while attacks using Node Fetch remain active.
Challenges and Mitigation Measures
In light of this landscape, cybersecurity experts warn that attackers will continue to adapt their strategies and tools to increase the effectiveness of their attacks and evade defense mechanisms. Proofpoint researchers recommend strengthening multi-factor authentication measures, monitoring suspicious access patterns, and blocking the use of HTTP clients in sensitive environments.
The evolution of attacks using HTTP clients shows that cybercriminals continue to innovate in their methods. With a combination of legitimate tools and advanced strategies, organizations must remain vigilant to protect their systems and data against this constantly evolving type of threat.
via: ProofPoint