A few months ago we shared an article about the hundreds of colleges and universities that fell victim to the Mabna attacks. These criminals were able to infiltrate most systems with a common and simple attack method known as password spraying.
What is Password Spraying?
You may be familiar with brute-force attacks in which a hacker will try to access a single account by trying hundreds or thousands of potential password combinations. The problem with this type of attack is that, with the appropriate technical controls in place, accounts will quickly lock after multiple attempts and send alerts to the organization’s security team.
The bad guys are smarter now and have evolved their strategies to password spraying. In a password spray attack, a hacker will test a single password against multiple user accounts within an organization. They use common passwords like Spring2018 and Password123 that, unfortunately, many users are still falling back to. If the attack is not successful at first they will try again utilizing a different password, usually waiting about 30 minutes or so in between attempts to remain undetected and avoid triggering any time-based account lockouts. By hitting multiple accounts, they are more likely to successfully access a percentage of accounts.
Typical Victim Environment
Common targets for password spraying include organizations using single sign-on (SSO), cloud-based applications using federated authentication protocols, and those that haven’t yet deployed multifactor authentication. E-mail applications are often targeted as malicious hackers are able to gain access to the organization’s e-mail system from the cloud and download user e-mails, pull company e-mail address lists, and update inbox rules to forward sent and received messages to another account.
How it Works
- Criminals will first collect a list of names and e-mail accounts within the targeted organization through simple Internet searches. They may also use social engineering tactics to identify specific user accounts through avenues like LinkedIn.
- Next, they attempt to obtain unauthorized access to as many accounts as possible.
- If they do successfully access an initial group of accounts, they can use those to locate global address lists and perform additional password spray attempts against the larger group of accounts.
Statistics show that even though most common passwords account for only 0.5-1.0% of total accounts, attackers will typically get a few successes for every thousand accounts attacked. Once they have access to the accounts, the hackers will attempt to move laterally within the network, and download as much data as possible.
How to Identify an Attack
Indicators of a password spray attack include:
- A significant spike in failed login attempts against the enterprise SSO system or web-based applications. Attempts may originate from a single IP address or computer and will run over a period of time.
- Employee logons from IP addresses resolving to locations that differ from their normal locations.
How to Prevent Password Spraying
To help prevent a password-spraying attack against your employees, your IT Team can implement one or more of the following strategies:
- Use of multi-factor authentication (MFA)
- Review password policies to ensure they align with the latest NIST guidelines
- Educate users to use strong, difficult-to-guess passwords
- Review Help Desk recommendations related to password resets for user lockouts
- Establish a list of banned passwords – research commonly used passwords and deny users the ability to use those during initial set-up and resets
- Use IT resources or engage with a third party to perform ongoing password spray tests against your employee accounts
For questions about this type of attack, or to engage with CampusGuard’s Penetration Testing Team to discuss options for password spray testing, contact us.
Some additional guidance from the Penetration Testing team is below:
[Sullivan]: While password complexity rules can help users create stronger passwords, they still tend to look for the easiest way to comply with the rules with the least amount of effort, which leads to predictable passwords. Centralized logging and alerting, not connecting sensitive login systems to the internet, and blacklisting common passwords can help detect and prevent the effectiveness of this technique.