I am looking for information, maybe a little insight as to how something like this can be done.
Yesterday one of our guys noticed a lot of failed authentications on the IDR “Ingress Locations” map on the home screen.
When going to the logs to see who, we saw a bunch of failed authentications (about 1867) for the same user from 93 countries all in about 6hrs.
None of the attempts had any success so we’re good there. and GEO blocking is being updated as I type. however, I’m interested to know how someone can hop the globe trying to log into a system over and over and over again so easily.
Thanks for helping further my knowledge and have a great day.
So I am not the foremost expert in attacker techniques but to my understanding I’m assuming this was a user account for something like O365 or something that is publicly accessible on the internet. If that username was compromised to the fact that it’s public knowledge then it could very well be several outsiders attempting to authenticate to that account. Alternatively it could be a single actor using VPN egress endpoints to make it appear as if they are authenticating from several different locations all while attempting to authenticate to the same user account.
We see that all the time. It usually means the account is in a bunch of pastebins or credential leaks. You can get a good idea of what’s been leaked where by requesting a domain report from haveibeenpwnd. O365 is a popular way to validate credentials because of you use something else like gmail they can usually check credentials without MFA by using o365.