Chinese Hackers Exploit SAP NetWeaver Vulnerability in Active Attacks – Active IOCs
May 12, 2025Multiple Linux Kernel Vulnerabilities
May 12, 2025Chinese Hackers Exploit SAP NetWeaver Vulnerability in Active Attacks – Active IOCs
May 12, 2025Multiple Linux Kernel Vulnerabilities
May 12, 2025Severity
Medium
Analysis Summary
A sophisticated cyber campaign targeting Microsoft Entra ID was uncovered, running between March 18 and April 7, 2025. The attackers exploited legacy authentication protocols, specifically BAV2ROPC, SMTP AUTH, POP3, and IMAP4, to bypass modern security measures like Multi-Factor Authentication (MFA) and Conditional Access policies. These outdated methods, although deprecated by Microsoft, remain active in many organizations due to business continuity needs, inadvertently creating dangerous entry points for threat actors.
Researchers observed a highly coordinated effort using automated credential spraying and brute-force techniques aimed at exploiting these legacy endpoints. Over 9,000 suspicious login attempts were logged during the campaign, with a spike of 8,534 attempts in a single day between April 4–7. The attacks were globally distributed, originating mainly from Eastern Europe and the Asia-Pacific region. The campaign began with low-volume reconnaissance, escalating over time into aggressive, sustained activity primarily targeting Exchange Online, an indicator of intent to access sensitive emails and authentication tokens.
Central to the attackers’ strategy was the use of the BAV2ROPC protocol, which allows applications to bypass traditional user authentication processes by sending credentials directly to Entra ID in a non-interactive way. This mechanism issues access tokens without triggering MFA or Conditional Access policies, making it an effective backdoor. Its stealthy nature avoids generating user alerts or login prompts, allowing attackers to operate without detection, especially after harvesting credentials through phishing or other initial access methods.
One of the most alarming aspects of the campaign was its scale and focus on administrative accounts. A particular subset of accounts experienced nearly 10,000 login attempts from 432 unique IP addresses in just eight hours, showcasing the automated and distributed nature of the attack. This campaign underscores the critical risk posed by maintaining legacy protocols and highlights the urgent need for organizations to disable outdated authentication methods to close exploitable security gaps.
Impact
- Security Bypass
- Gain Access
Remediation
- Immediately disable outdated protocols such as BAV2ROPC, SMTP AUTH, POP3, and IMAP4 in Microsoft Entra ID and Exchange Online, unless absolutely required.
- Ensure all applications and services use OAuth 2.0 and modern authentication mechanisms that support MFA and Conditional Access.
- Apply strict Conditional Access policies to limit access based on device compliance, user risk level, and location.
- Require MFA for all users, especially privileged and administrative accounts.
- Regularly review Azure AD and Exchange Online sign-in logs for unusual activity such as failed logins from unfamiliar IPs or regions.
- Use Microsoft’s security defaults or conditional access policies to block legacy authentication tenant-wide.
- Minimize the number of global administrators and apply Just-In-Time (JIT) access using Azure AD Privileged Identity Management (PIM).
- Restrict access from high-risk countries or regions not relevant to your organization’s operations.
- Leverage tools like Microsoft Defender for Identity and Sentinel to detect brute-force or credential spraying attempts.