• by Ray Schultz , December 10, 2021

Cyber security platform Reblaze is warning of a sophisticated form of attack suffered by one of its clients. 

The attackers persistently attempted to evade detection and take control of user accounts, Reblaze says in a Friday blog post. 

It began with a wave of login requests — 262,000 over a five-day period — targeting the unnamed client. Then it moved to a moderate rate of requests — to, say, 50,000, in an effort to remain under the radar.  

The malicious mischief moved onto credential cracking based on a password dictionary. The objective: to crack user credentials and steal accounts. 

When that didn’t work, the bad actors turned to credential stuffing — “iterating through a list of full credential sets presumably stolen from other sites,” the post continues. Many consumers are active on multiple sites, it notes. 

Then there is was address rotation — the attackers began using a different IP for every request, using a global pool of ASNs.  

As the situation progressed, the attackers “tried a variety of user agents, language and locale parameters, and other characteristics, attempting to make their requests appear to be unique and unrelated (to avoid being rate-limited by our security platform),” the post states.  

Reblaze says it thwarted the attack, but points out that the criminals had “an impressive granularity in their toolset. They were able to fine-tune a wide variety of parameters in the requests being generated, and they were methodical and thoughtful in the tactics that they tried.”