An Overview on Password Spraying Post author:Sameer Zama Post published:April 2, 2019 An Overview on Password Spraying Attacks and Defending Against Them Earlier this month, famous software giant Citrix had its internal network compromised and breached by a group of international cyber criminals who identify themselves as IRIDIUM – an Iranian based hackers group. When FBI informed the company about the breach, they had mentioned in their initial analysis that the hackers had most likely used a technique called ‘password spraying’ to exploit weak passwords of privileged accounts. And just like any other attack lifecycle, once the hackers got the initial compromise and established foothold in the target network, they worked their way to escalate privileges further and carried out internal recon to access and download sensitive internal business documents, all of this while maintaining their presence quietly until FBI disclosed and informed about the attack. While internal and external investigations are still going on to identify exactly what all documents and information the attackers had accessed, the catch of the eye for security researchers and investigators is the increasing use of brute force attack style against organizations – password spraying. Well, we all know about the typical brute force attack: Take the user name of the target account, in combination with many different passwords using tools. This combination could be the list of standard and prevalent passwords or just simply an algorithm that mixes characters randomly to achieve the output. So what makes password spraying different? To put it simply, rather than brute forcing the standard passwords on a single target account, the attackers try the technique across multiple accounts to leverage any privilege accounts and assets they can get hold of. They will generate a list of target accounts and try out the commonly used passwords against each of them. Below would be a good example [1]: Sample Target Target Password [email protected] Sunshine [email protected] Sunshine [email protected] sunshine … … [email protected] Password1 [email protected] Password1 [email protected] Password1 … … Why this pattern technique can be evaded quite easily is because unlike the regular brute force, this attack would just appear as an isolated failed login to the existing detection systems. With regular brute force, there’s usually a limited number of failed login attempts for every account, which means that hackers can’t try out one target account with combinations of many different passwords due to the lockout mechanism. This attack might seem quite basic. But remember we are talking about enterprise environments and large organizations where even a single compromised privilege account can give the attackers the leverage and enable them to move laterally across the network to gain complete access. Which is exactly why it should not be underrated and necessary steps should be taken. How do we defend? The Cybersecurity and Infrastructure Security Agency (CISA), United States Department of Homeland Security had recently published an article which briefly talks about the different solutions and recommended mitigations to defend password spraying attacks. Some of them are ensuring password policies are in place as per the latest NIST guidelines, review password management for shared accounts and user lockout settings. [2] Apart from these, the most effective and recommended method to defend and prevent such attacks is by having a good multi-factor authentication aka MFA solution in the organization infrastructure. How can multi-factor authentication solutions help organizations? MFA makes it harder for attackers to get in. It strengthens security by requiring users to provide extra information or factors unique to what the user knows, is or has.Even with the correct username and password combination, hackers can’t break in if an additional piece of information is required. And nowadays, many organizations think that standalone solutions can better secure their resources and mitigate the risks. There are even solutions that allow MFA to be implemented for a specific set of users or particular group of applications across the organization. However, a solution is not good enough yet if it is not smart enough, right? Traditional MFA is either “on” or “off”, which results in constant prompting for an additional factor that could annoy users. Nowadays, there are MFA solutions that are ‘adaptive’ and act ‘risk-based’. What this means is that solutions leverage analytics and advanced machine learning to challenge users with MFA based on pre-defined conditions such as location, device, day of the week, time of the day or even risky user behavior. To conclude… The steps, suggestions and references mentioned in this blog can help your organization maximize security against password spraying and similar attacks. Again the emphasis is on having better, hard-to-guess passwords for every user, ensure tools to detect and prevent these attacks are in place, a regular review of your password policies based on industry standards and lastly but not least, ensure you have a good multi-factor authentication solution implemented. It’s time to change the way you think about passwords. References: https://www.microsoft.com/en-us/microsoft-365/blog/2018/03/05/azure-ad-and-adfs-best-practices-defending-against-password-spray-attacks/https://www.us-cert.gov/ncas/alerts/TA18-086A