Password Spraying Hacker Attacks: Department of Homeland Security Warning
by D. Howard Kass • Aug 13, 2019
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) is advising users and administrators to be on the lookout for password spraying attacks.
CISA’s bulletin is based on an advisory issued by the Australian Cyber Security Centre (ACSC). Password spraying is a fling-mud-against-the-wall type of brute-force attack in which a malicious actor uses a single password against targeted user accounts before trying other passwords until one works. The tactic enables the hacker to remain undetected by avoiding rapid or frequent account lockouts. Attacks are typically launched against businesses and other organizations.
“The password spray attacks target users on standard corporate external services such as webmail, remote desktop access, Active Directory Federated Services (ADFS) or cloud based services such as Office 365,” the advisory reads. “Depending on the credentials and service, successful authentication can potentially lead to the actor gaining access to corporate emails, the corporate directory, global address books, remote desktop services or administrative access.”
Here are some techniques the ACSC is suggesting to detect password spraying attacks. The ACSC recommends organizations create alerting rules in their Security Information and Event Management (SIEM) solutions predicating on the following:
- High number of authentication attempts within a defined period of time. Typically during a password spray attack the amount of failed attempts over a period of time will be significantly higher than normal failed login events.
- Large number of bad usernames. Some password spray attacks may be attempted using generic username lists or a username generators.
- High number of account lockouts over a defined period of time. Some actors may try multiple passwords per account without regard or awareness of the lock-out policy, leading to corporate accounts being locked out.
- In the case of using Microsoft cloud infrastructure. Review standard users authenticating with Azure Active Directory PowerShell. Standard controls in Office 365 allow any user to use PowerShell to authenticate with your Microsoft Azure services.
- Look at the ratio of login success verses login failure per IP address. Examine the ratio of failures versus successes per IP address and determine if an IP has a significantly high login failure rate.
Organizations can reduce the impact of password spray attacks with the following recommendations:
- Implement multifactor authentication (MFA) on all external access systems. MFA is highly effective at mitigating brute force and password spray attacks due to the additional complexity injected to the authentication process.
- Enforce complex passwords as well as a strong password reset policy. Weak and popular passwords are targeted through this form of attack so enforcing strong passwords will decrease the likelihood of successful authentication.
- Increased alerting and monitoring. Be certain that your IT team or SIEM solution has the ability to perform correlation of logs from multiple sources such as threat intelligence. This will enable organisations to detect and actively block password spraying against your externally facing services.
- Assess whether it is possible to place additional security controls to prevent unauthorized access such as geo blocking, IP whitelisting or requiring users to first connect via a Virtual Private Network (VPN).
- Reset credentials of affected accounts. Resetting affected user account credentials in line with a strong password policy can prevent repeated malicious access to a compromised account.