Hello and welcome to the Wednesday, February 26, 2025 edition of the Sands Internet Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Security Scorecard published a write-up about a botnet that they have observed attacking Microsoft 365 accounts.

And what's a little bit different here is that they're not sort of going after normal

user accounts, but instead they're going after accounts used by automatic scripts.

And with that, of course, you often don't have the ability to do things like two-factor authentication.

In this particular case, they're attacking accounts that are using basic authentication,

which means you typically have a static username and password, some kind of API key.

And, well, a recent NIST guidance, for example,

specifically suggested to move away from API keys.

And one of the big reasons behind that was that API keys tend to be difficult to rotate.

If you do need to design some kind of API and web services access.

The standard method these days is often O-O-O-O-O-O-R.

Now, O-O-Rth is not really safe from some of these Info-Stealer types,

but in addition to that, you probably also want to make sure

that development and production environment are cleanly separated

because infestilers tend to infect developers, not so much in production environments.

And as such, if an infestaler steals credentials from a developer, then, well, they can't be used against the production environment.

It may also be worthwhile looking into like Canary tokens here.

That's a nice little trick that can help you identify some of these attacks.

Now, security scorecard did publish a bunch of indicators of compromise here with the report,

but we all know that

...