Malicious cyber actors are increasingly using a style of brute force attack known as password spraying attacks against organizations in the United States and elsewhere.
Brute-force attacks traditionally attempt to gain unauthorized access to a user account by password-guessing techniques. A key symptom is frequent account lockouts as most organizations commonly allow 3 to 5 bad attempts and then account lock-out policies are triggered for a set period and access attempts are blocked from suspicious or infrequent IP addresses or specific locations.
Password spraying attacks happen when threat actors employ a technique of avoiding excessive or frequent lockouts to remain undetected. One password is used against many accounts before attempting the second password. Typical targets are single sign-on accounts for internal as well as cloud-based applications, which once compromised provide the intruder with maximum access to confidential and proprietary information. Email is the best way to target novice users, who generally use email synchronization on multiple devices and once their account is compromised it provides these actors access to organizations’ emails, attachment files and internal contacts etc.
A successful intrusion can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include:
- Temporary or permanent loss of sensitive or proprietary information;
- Disruption to regular operations;
- Financial losses incurred to restore systems and files; and
- Potential harm to an organization’s reputation.
How to Prepare for and Avoid Password Spraying Attacks
- Strongly consider employing Multi-Factor Authentication (MFA) for internet-facing business-critical applications and systems.
- Strictly enforce password policies on all business applications and IT assets for admins and end users
- Proactively monitor user account access from suspicious or blacklisted IP addresses and lockout attempts
- Implement best practices for user activity monitoring such as; Activity from infrequent locations, anonymous IP addresses, activity from suspicious IP addresses, unusual administrative activity etc.
- Educate the end users to use strong passwords and report password lockout incidents to IT Help-desk
At Difenda Cyber Command Center, we are proactively monitoring our customers’ environments for user activities and have employed advanced monitoring and detection techniques and related use cases to identify access anomalies and brute-force attempts for privileged and normal user accounts.
Refer to the US-Cert Advisory for more details US-Cert TA18-086A