adNET Academy Blog

New Threat Alert From The FBI – Password Spraying

Written by Ryan Howarter | May 10, 2018 9:42:00 AM

7 Steps To Protect Yourself

You probably use a number of personal identification numbers (PINs), passwords, and passphrases to get money from ATMs, to use your debit card when shopping, or to log in to your personal or business email. Hackers represent a real threat to both your personal and business password security and confidential information. Now, these criminals are using a technique called Password Spraying to steal your information.

According to information derived from FBI investigations, malicious cyber actors are increasingly using password spraying against organizations in the United States and abroad. In February 2018, the Department of Justice in the Southern District of New York indicted nine Iranian nationals, who were associated with the Mabna Institute, for computer intrusion offenses. However, password spraying isn’t limited to this group. Other hackers are using it to gain access to both personal and business confidential information.

Manhattan U.S. Attorney Geoffrey S. Berman said: “Today, in one of the largest state-sponsored hacking campaigns ever prosecuted by the Department of Justice, we have unmasked criminals who normally hide behind the ones and zeros of computer code. As alleged, this massive and brazen cyber-assault on the computer systems of hundreds of universities in 22 countries, including the United States, and dozens of private sector companies and governmental organizations was conducted on behalf of Iran’s Islamic Revolutionary Guard. The hackers targeted innovations and intellectual property from our country’s greatest minds. These defendants are now fugitives from American justice, no longer free to travel outside Iran without risk of arrest. The only way they will see the outside world is through their computer screens, but stripped of their greatest asset – anonymity.”

How Does Password Spraying Work?

Password spraying is a type of brute force attack where hackers use a username with multiple passwords to gain access to your IT system. With traditional brute force attacks, the criminal uses one username with multiple passwords. Employing a lockout functionality, which locks the criminal out after a set number of login attempts, is an effective means of dealing with traditional brute force attacks.

However, with a password-spray attack (also known as the “low-and-slow” method), the malicious cyber actors use a single password against many accounts before moving on to another password. They continue this process until they find one that works. This strategy works for them because they can avoid account lockouts. It circumvents lockout functionality by using the most common passwords against multiple user accounts until they find one that works.

Password spraying targets single sign-on (SSO) and cloud-based applications using federated authentication. A federated authentication identity provides single access to multiple systems across different enterprises. Criminals target federated authentication protocols because it disguises their activities and ensures their anonymity.

Attackers use password spraying in environments that don’t use multi-factor authentication (MFA), rely on easy-to-guess passwords, or use SSO with a federated authentication method.

 

Your Email Is Also At Risk

Hackers also prey on email accounts that use inbox synchronization (which pulls emails from the Cloud to inboxes on remote devices). Malicious actors use inbox synchronization to obtain unauthorized access to your organization’s email directly from the Cloud. Then they download email to locally stored files, identify your company’s email address list, and secretly apply inbox rules to forward your sent and received messages to them.

The United States Computer Emergency Readiness Team (US-CERT) details how hackers use password spraying, what you should watch out for, who is at risk, and the impact this type of attack can have on your organization.

Your Technology Service Provider can explain this to you and your employees in plain language, and help you protect your organization against password spraying and other attacks.

 Traditional Tactics Techniques & Procedures

  • Using social engineering tactics to perform online research (i.e., Google search, LinkedIn, etc.) to identify target organizations and specific user accounts for initial password spray
  • Using easy-to-guess passwords (e.g., “Winter2018”, “Password123!”) and publicly available tools, execute a password spray attack against targeted accounts by utilizing the identified SSO or web-based application and federated authentication method
  • Leveraging the initial group of compromised accounts, downloading the Global Address List (GAL) from a target’s email client, and performing a larger password spray against legitimate accounts
  • Using the compromised access, attempting to expand laterally (e.g., via Remote Desktop Protocol) within the network, and performing mass data exfiltration using File Transfer Protocol tools such as FileZilla

Indicators That You’ve Been Attacked

  • A massive spike in attempted logins against the enterprise SSO portal or web-based application;
  • Using automated tools, malicious actors attempt thousands of logons, in rapid succession, against multiple user accounts at a victim enterprise, originating from a single IP address and computer (e.g., a common User Agent String).
  • Attacks have been seen to run for over two hours.
  • Employee logins from IP addresses resolving to locations inconsistent with their normal locations.

Typical Victim Environment

The vast majority of known password spray victims share some of the following characteristics:

  • Use SSO or web-based applications with the federated authentication method
  • Lack multifactor authentication (MFA)
  • Allow easy-to-guess passwords (e.g., “Winter2018”, “Password123!”)
  • Use inbox synchronization, allowing email to be pulled from cloud environments to remote devices
  • Allow email forwarding to be set up at the user level
  • Limited logging setup creating difficulty during post-event investigations

The Impact

A successful network intrusion can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include:

  • Temporary or permanent loss of sensitive or proprietary information;
  • Disruption of regular operations;
  • Financial losses incurred to restore systems and files; and
  • Potential harm to an organization’s reputation.

7 Steps You Can Take To Mitigate Password Spraying Attacks

  1. Enable MFA and review MFA settings to ensure coverage overall active, internet facing protocols.
  2. Review password policies to ensure they align with the latest NIST guidelines and deter the use of easy-to-guess passwords.
  3. Review IT helpdesk password management related to initial passwords, password resets for user lockouts, and shared accounts. IT helpdesk password procedures may not align with company policy, creating an exploitable security gap.
  4. Many companies offer additional assistance and tools that can help detect and prevent password spray attacks, such as the
  5. Make sure your employees change their corporate passwords every 60 days.
  6. Establish a password policy that prohibits easy-to-guess passwords. Enable multi-factor authentication (MFA) for all web-based applications. If MFA practice is already in place, review current protocols thoroughly to ensure it is maintained well
  7. Ask your Technology Solutions Provider to conduct Security Awareness Training for your employees at all levels.

The FBI Reporting Notice

The FBI would like you to report any suspicious or criminal activity to your FBI field office or the FBI’s 24/7 Cyber Watch (CyWatch). Field office contacts can be identified at www.fbi.gov/contact-us/field. CyWatch can be contacted by phone at (855) 292-3937 or by e-mail at CyWatch@ic.fbi.gov.

Your report should include:

  • The date,
  • Time,
  • Location,
  • Type of activity,
  • Number of people affected,
  • Type of equipment used for the activity,
  • The name of your company or organization, and
  • A designated point of contact.