Password spraying is a new password exploit that is being used effectively against larger networks. It’s become enough of a problem to merit an alert from US-CERT entitled TA18-086A: Brute Force Attacks Conducted by Cyber Actors. Here’s how it works.
Typically, in a traditional brute-force password attack, the password cracking software runs a long list of every possible password against a system. In defense, we have countered by setting up limits and lockouts after a certain number of failed login attempts. So after five wrong guesses, the system will not accept further login attempts for 30 minutes or an hour. This has worked pretty well at blunting or at least slowing the effectiveness of the brute force attack.
With password spraying, the attacker cycles each password guessing attempt at each system in the network, returning after an interval to try each subsequent guess in turn on each machine again. So instead of trying 100 passwords against a single machine, it tries one password against 100 machines, and then starts over with password two. Rinse and repeat.
- This exploit relies on Google search, Linkedin, and social engineering to develop a list or users in the target organization. Sometimes the attacker will export the Global Account List from an email client.
- It also exploits human predictability elements like easy to guess passwords. Especially passwords that are know to be more likely in a corporate environment, like the passwords “May2018! or “P@ssword123”.
- More common in single sign-on (SSO) and authentication federation environments, often without two-factor authentication.
- Attackers also prefer environments where users are permitted to set-up email forwarding.
There are signs that your company may be targeted.
- There will be a huge increase in failed login attempts, across a wide selection of users, for periods of up to an hour, often from a single IP address.
- There may also be an increase in successful employee logins from IP addresses and geographic locations that would be unusual for employees.
This activity can result in distruption to operations, loss of proprietary information or PII, financial losses to to mitigation costs or actions directly attributable to the attack, such as wire transfer fraud.
- setting up two-factor or multi-factor authentication,
- increasing the length and strength of passwords,
- and reviewing policies and settings for password lockouts, decreasing the number of allowed failures and increasing the lockout duration.