28.04.2022 Password spraying attacks: Tips for detection and prevention

by Katie Yahnke

Between brute force, credential stuffing, and password spraying attacks, password security is still top of mind for global IT professionals.

Cyber criminals have become more skilled at cracking passwords and gaining access to networks. These attacks, especially when they result in high-profile compromises, are reminders to implement strong password policies and best practices.

Take the notable SolarWinds hack, for example, which allegedly stemmed from an intern using “solarwinds123” as a password and then sharing those credentials internally. 

Passwords are a cyber security problem, not solution

The issue with passwords is that they’ve become the cyber security problem rather than the solution. 

Passwords are intended to protect sensitive information from bad actors. The problem? The average person now has too many accounts to keep track of. Each set of credentials should be unique, and we’re supposed to memorize them all.  

Everyone has struggled with passwords and password management at some point. We’ve all used a password too similar to another one or something predictable, like a pet’s name. We may even think that adding a number to the end of the password would trick an attacker. 

For decades, we have relied on passwords to keep hackers out. Today, hackers use passwords to get in. Attacker capabilities and tools have evolved drastically. Computers are far faster today at guessing passwords. Attackers have automation to attack password databases or online accounts. They’ve also mastered specific techniques and strategies that yield more success. 

Types of password-based cyber attacks 

Users know the importance of using complex passwords. Organizations know the importance of enforcing security measures and appropriate policies. And yet, these types of attacks are still effective.

By knowing how attackers exploit passwords, we can all better understand the importance of password security.

Keep hackers out of your accounts.

Learn five expert tips for choosing stronger passwords.

Download Now

During a password attack, the cyber criminal attempts to exploit weak or common passwords to gain access to the account. They’ll use various tactics, techniques, and procedures to achieve this goal, including brute force attacks and password spraying. 

Brute force attacks  

A brute force attack is often the easiest way for cyber criminals to access a site or server. They use a trial-and-error method of username and password combinations again and again until gaining entry. 

Attackers use this method to target a single account by guessing the password. Due to the repetitive action, brute force attacks are compared to an army attacking a fort. 

These types of attacks may be supported by automation. Credential stuffing is a form of brute force that depends on automated tooling to test passwords and usernames across multiple sites.  

Account lockout policies are a response to traditional brute force attacks and prompt the account to lock after several—often three or five—failed login attempts. Microsoft explains that “limiting the number of failed sign-ins that can be performed nearly eliminates the effectiveness of such attacks.” 

Key logger or keystroke attacks 

A key logger or keystroke attack uses a program to track and record a user’s keystrokes, giving the attacker access to any account the victim logs into while the key logger program is running.  

This type of attack differs from a traditional brute force attack because the cyber criminal depends on sophisticated malware to record the keystrokes. This means that the attacker must first trick the user into downloading the malware—often using a phishing email to get them to click on a link or download a file—and then review the victim’s keystrokes to gain access to accounts. 

Password spraying attacks 

Password spraying is a high-volume attack in which the threat actor takes one (often weak or common) password and tests it against as many accounts as they can. It’s the opposite of a brute force attack—instead of cycling through passwords with the same username, they cycle through usernames with the same password. 

The attack focuses on quantity over quality. If a threat actor is looking to gain initial foothold in an organization, they can achieve this with only one compromised account. 

One advantage of this method is the attacker can test many passwords without triggering an account lockout policy. When an attacker targets many accounts, there is a greater chance that some users will have common passwords in place and can be breached. 

Step one: Get a list of usernames 

The first step in a password spraying attack is to obtain a list of usernames, which is easier than you’d think. Most companies follow a common convention for accounts, [email protected] or using the employee’s first initial followed by their last name are two popular options. 

If the attacker gets one employee’s email address, they can apply that pattern using the names of others at the organization (which, thanks to social media, are easily found). Alternatively, the attacker might gain access to an employee directory which serves all that information on a silver platter.    

Step two: Get a list of passwords 

The second step is to get a list of common passwords, which is even easier than step one. In fact: here’s a list of common passwords from last year. Here’s another list. And another. The attacker may get more specific and use the organization’s geographic location to guess a few other common passwords (if the organization is in Toronto, for example, then bluejays or leafs may be more widely used).  

Step three: Find a combination that works 

The third step is to test those common passwords on their list of usernames. Password spraying is effective because many users use the same predictable passwords. Eventually, the attacker will crack the code. 

The attacker only needs one successful combination to gain access to an account. Then, they can do some reconnaissance, launch other attacks such as business email compromise, exfiltrate data, or carry out other activities that further their goal. 

Is password spraying a common cyber attack? 

Password spraying might seem amateurish compared to other cyber attack techniques, but even highly sophisticated and well-resourced cyber crime groups use it. 

In February 2022, the Cybersecurity & Infrastructure Security Agency (CISA) issued an alert about state-sponsored cyber actors, listing several common but effective tactics they’ve been using to gain access to victim networks—including password spraying.   

Talking about their goals, “these actors take advantage of simple passwords, unpatched systems, and unsuspecting employees to gain initial access before moving laterally through the network to establish persistence and exfiltrate data.”   

The Microsoft Detection and Response Team (DART) and threat intelligence teams have also seen a notable increase in the use of password spraying. They reasoned that software has become more intelligent at detecting abnormal activity or vulnerabilities, so attackers are breaking into identities instead of systems. It makes sense; computers are often much better at detecting abnormalities than humans. 

Getting specific, MITRE acknowledged that APT28—a widely known Russian cyber espionage group—has used brute force and password spray tooling in attacks before.  

Signs of password spraying attacks 

The CISA alert above recommended that organizations may be able to detect password spraying activity by reviewing “authentication logs for system and application login failures of valid accounts.” Password spraying attacks may cause “frequent, failed authentication attempts across multiple accounts.” 

Look for sudden spikes in the number of failed login attempts or locked accounts. You may also notice that former employees or invalid usernames are trying to log in, which may signal the cyber criminal has an outdated or inaccurate employee directory.   

Cyber criminals may intentionally target specific groups of employees—finance, administrators, and the C-suite. Targeted approaches can yield better results for the threat actor. 

They may often target companies or departments using single sign-on (SSO) or federated authentication protocols (the ability to log in to Facebook with your Google credentials, for example), or that have not deployed multi-factor authentication. 

Think you’re under cyber attack? 

If you suspect you or someone in your organization has been the victim of password spraying, it’s critical to act fast. Depending on whose account was breached, the threat actor may have access to confidential corporate data, personally identifiable or financial information of customers, or worse. 

The first thing to do is reach out to a cyber security company that offers digital forensic and incident response (DFIR) services. They will identify the origin of the breach, which accounts are compromised, and how to proceed with the recovery.   

How to defend against password spraying attacks 

To protect your network and users against password spraying attacks, we recommend the following best practices: 

Offload some of that password burden 

Using strong, unique passwords is probably the most recommended cyber security best practice. And yet, many continue using “111111,” “123456,” and “qwerty” as their passwords.  

It’s clear why many people choose to overlook this easy tip: simple passwords are easier to remember. There’s no possible way to memorize complex passwords for every account. 

So, what’s the solution? 

Use a password manager to generate, manage, and store all your unique credentials. These tools combine complexity and length to offer up hard-to-crack passwords. They also eliminate the burden of having to remember different login details. 

Putting all your details into a password manager can be time-consuming. Especially if you need to go back and change passwords to something stronger. Set aside an afternoon for some digital spring cleaning. Import your credentials to a password manager, strengthen existing passwords, and delete old accounts you don’t use. 

Then for every new account you make, let the password manager do its job. 

Add extra layers of authentication 

Multi-factor authentication (MFA) is another highly recommended best practice and even becoming a default setting. MFA adds an extra layer of security because if someone guesses your password, you’ll have to approve the login.  

There are three main forms of authentication we see today:  

  • Passwords, passphrases, or personal identification numbers  
  • Hard tokens (USB key) or soft tokens (text message or notification from an authenticator app)  
  • A unique biometric characteristic (fingerprint or face ID)  

When used as part of a complete approach to cyber security, MFA can prevent up to 99.9% of all automated cyber attacks and 75% of targeted attacks. 

Despite all the value and security MFA provides, many companies still don’t use it. It’s hard to get an organization to adjust to technological changes, but this one is necessary.  

Reduce your company’s threat surface 

Organizations with an open security model, where all users on a network have equal access to confidential information, are increasing their risk of a cyber attack. The more people with access to private systems are more target opportunities for cyber criminals. 

Reduce your threat surface by regularly reviewing and reducing the number of users with access to certain places or data. Remove old accounts belonging to former employees. 

People’s behaviour is probably one of the biggest threat surfaces in any organization. Investing in cyber awareness training is imperative, and an Employee Cyber Security Handbook is a great place to start.

It’s routine to show new employees the leave form during onboarding. Cyber security training should be routine too. Tell them about the password policy. Can employees identify malicious emails? Will they know what to do when they receive one? Don’t overlook the importance of cyber security training and awareness. 

Detect and stop cyber threats in real-time 

The best way to keep your organization secure is to monitor your network, cloud-based services, and endpoints for cyber threats such as password spraying. That may seem like a colossal undertaking given all the data generated in a single hour. The right software makes it easy.  

Covalence combines intelligent technology with a team of true security experts to quickly detect cyber threats and vulnerabilities across your entire business. In addition to network and endpoint security, Covalence works with Microsoft 365, Google Workspace, Amazon Web Services, Dropbox, and various other cloud-based services to defend all your accounts against password spraying. 

What’s more, password-based attacks are just the tip of Covalence’s threat detection iceberg. Find out why businesses globally choose Covalence as their holistic cyber security solution. 

 

Request Demo

Fill out the form and we will send you details about our demo.