Password Spraying is a New Type of Brute Force Attack

Password spraying is a new password exploit that is being used effectively against larger networks.  It’s become enough of a problem to merit an alert from US-CERT entitled TA18-086A: Brute Force Attacks Conducted by Cyber ActorsHere’s how it works.

Typically, in a traditional brute-force password attack, the password cracking software runs a long list of every possible password against a system.  In defense, we have countered by setting up limits and lockouts after a certain number of failed login attempts.  So after five wrong guesses, the system will not accept further login attempts for 30 minutes or an hour.  This has worked pretty well at blunting or at least slowing the effectiveness of the brute force attack.

With password spraying, the attacker cycles each password guessing attempt at each system in the network, returning after an interval to try each subsequent guess in turn on each machine again.  So instead of trying 100 passwords against a single machine, it tries one password against 100 machines, and then starts over with password two.  Rinse and repeat.

  • This exploit relies on Google search, Linkedin, and social engineering to develop a list or users in the target organization. Sometimes the attacker will export the Global Account List from an email client.
  • It also exploits human predictability elements like easy to guess passwords.  Especially passwords that are know to be more likely in a corporate environment, like the passwords “May2018! or “P@ssword123”.
  • More common in single sign-on (SSO) and authentication federation environments, often without two-factor authentication.
  • Attackers also prefer environments where users are permitted to set-up email forwarding.

There are signs that your company may be targeted.

  • There will be a huge increase in failed login attempts, across a wide selection of users, for periods of up to an hour, often from a single IP address.
  • There may also be an increase in successful employee logins from IP addresses and geographic locations that would be  unusual for employees.

This activity can result in distruption to operations, loss of proprietary information or PII, financial losses to to mitigation costs or actions directly attributable to the attack, such as wire transfer fraud.

Solutions include:

  • setting up two-factor or multi-factor authentication,
  • increasing the length and strength of passwords,
  • and reviewing policies and settings for password lockouts, decreasing the number of allowed failures and increasing the lockout duration.

0

About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.