In March, Iranian Hackers from the Mabna Institute were charged with launching attacks targeting universities, large US companies, and government agencies, and stealing information including academic research in technology, medicine, and other sciences valued at over $3.4 billion.
The attack targeted more than 100,000 university professors worldwide, and successfully breached the accounts of roughly 8,000 professors at hundreds of US and foreign institutions, including several large Australian universities. The hackers studied each of their targets and sent a specialized e-mail that appeared to come from other university professors expressing interest in recently published work. The e-mails contained what appeared to be links to other research, but were actually links directing the recipients to malicious websites that would mimic a legitimate login page and steal the professors’ login information. Once the accounts were compromised the hackers were able to gain access to sensitive research data.
Attacks were also made against many private sector organizations, state, and federal government agencies. These attacks were less sophisticated as, for these targets, the hackers just deployed a technique called “password spraying”. They collected potential e-mail addresses of employees they could locate online, and then tried commonly used passwords to access the accounts. Spray attacks search for accounts with the easiest passwords (i.e. Password123) and only try a few simple passwords before moving on to the next account. By deploying this method, the attempts do not trigger the account lockout safety features that are typically deployed and enabled the attacks to go undetected for a longer period of time.
These attacks are yet another reminder of how important it is to continue to spread awareness across your organization so that all employees can help protect themselves and your organization. This is a good opportunity to review your organizational password policies for all systems, including e-mail, and ensure they align with current best practices, the PCI DSS requirements, or the latest NIST guidelines. Teach staff to set up strong passwords, implement password security features like maximum attempts, forced changes after 90 days, etc. These simple steps can help protect against a spray attack on your accounts. As hackers continue to target individuals, you may also want to reconsider the benefits of implementing multi-factor authentication (MFA) on any systems that allow access to sensitive information.
Continued awareness training and phishing tests can also help train staff how to identify a phishing email, to be diligent about verifying the URLs of websites before clicking, and reporting suspicious messages to the appropriate authority.
Some additional guidance from our Penetration Testing team below:
[Wallace]: Password spraying continues to be a very effective method for attackers to gain access. For example, the password Spring2018! meets most organizations’ password complexity requirements, but it is a very easy password to guess as an attacker. Even in a smaller organization, how many of your users do you think have this password? Password spraying your own organization can serve as an extremely effective password auditing tool, and identify these weak passwords before attackers do.
[Sullivan]: Users are inundated with so many legitimate and phishing emails on a daily basis that poor security practices are often followed just to keep work flowing. As administrators, it is crucial to implement administrative and technical controls that help make their lives easier. Regularly auditing account permissions and password strength, implementing strong email filters, and routine training can help reduce the burden on your users and bolster your organization’s defenses.