Feds Warn Password Spraying Attacks on the Rise

While there is no doubt that hackers are becoming more sophisticated and savvy in the types of tools and approaches they use, they are still using relatively simplistic, “brute force” methods in order to breach computer networks. For example, the U.S. Computer Emergency Readiness Team (US-CERT) , the Department of Homeland Security (DHS), and other U.S. government agencies have warned of a massive new wave of password spraying attacks, with many of these attacks emanating from state-sponsored hacking groups looking for a way to access the nation’s critical infrastructure or get their hands on intellectual property.

Why the rise in password spraying attacks?

One big reason why password spraying attacks are on the rise is because they are relatively easy to pull off, especially for hacking groups that have limited insider knowledge of how an organization works, or how its security system is configured. That’s because many people tend to use very similar, easy-to-guess passwords, along the lines of “password123.” Even when prodded by security specialists or data protection experts to upgrade their password, employees often make very predictable changes that are also very easy to guess – such as changing “password123” to “password1234.”

Thus, once hackers have gained a foothold via a large number of these simplistic passwords, they can then carry out “low and slow” hacking campaigns that methodically try each password on as many email addresses as possible before moving on to the next password. Once they have gained access into an organization with a single password and a single account, hackers can then set about exfiltrating data or sending out email messages to other employees of the organization. In such a way, a foothold with limited access can quickly escalate into a type of attack that resembles a very complex cyber-espionage operation.

At one time, hackers simply did not have access to the type of computing power needed to carry out these attacks. But now it’s really just a matter of time, not computing power, to carry out a traditional brute force attack. From the perspective of hackers, the “low and slow” approach across multiple user accounts is actually advantageous because it avoids account lockout scenarios, in which incorrectly guessing the password to an account will cause that account to become blocked. Moreover, since most organizations use a standard template for generating email address (e.g. using the last name of the user and the first letter of the first name), it’s easy for hackers to guess the usernames of employees. All that’s left to do is to try out a long list of commonly used passwords.


Password spraying attacks at Citrix

Given the human element of password management (i.e.. people really don’t like the process of constantly generating new, hard-to-remember passwords), even companies that pride themselves on security can be the victim of these password spraying attacks. Recently, for example, the U.S. multinational software company Citrix, which provides sever, application and desktop virtualization, networking and software-as-a-service (SAAS), was the victim of password spraying attack. The company only found this out when the FBI alerted them.

Remarkably, hackers had what forensic investigators called “intermittent access” to Citrix systems for nearly six months – from October 2018 to March 2019.  During that time, hackers removed files and information from the company’s computer systems. However, Citrix still isn’t sure what the hackers got their hands on. In one version of events, hackers downloaded business documents. In another version of events, hackers may have accessed sensitive personal information about employees (such as their names and Social Security Numbers).

And in yet another scenario from cybersecurity firm Resecurity, the hackers were actually part of the Iranian hacker group known as Iridium. These hackers were using brute forcing in order to access source code that could be used to infiltrate the networks of Citrix customers. In other words, maybe the real target of the remote access password spraying attack was not Citrix, but rather, the thousands of clients of the company. This Iranian scenario is backed up by the fact that the United States government, based on credible and actionable information, recently indicted 9 Iranian nationals who were part of the state-sponsored hacking group known as the Mabna Institute, which is known for using password spraying attacks.

Putting an end to password spraying attacks

In the taxonomy of hacking approaches, the password spraying attack belongs in the category of brute force attack. Other brute force methodologies include credential stuffing, in which user/password combos obtained from the Dark Web are used to access email accounts. What all of them have in common is that common passwords are used to obtain unauthorized access to computer networks.

Given the reliance of brute force attacks on passwords, it’s perhaps no surprise that many information security experts (including those at Microsoft) are advocating for a “passwordless future.” For example, instead of using a password to access a device, you would use something that a hacker could never guess – such as your fingerprint or retina scan. Guessing the password suddenly becomes impossible because there is no password to guess.

Another option to end password spraying attacks involves multifactor authentication. The thinking here is that single sign-on (SSO) and federated authentication protocols are too easy to compromise in order to gain access. With multifactor authentication, for example, hackers would need to have both your password and your smartphone. It’s unlikely that they would have both.

Ryan Wilk, VP of Customer Success for NuData Security, a Mastercard company, says, “The human element always plays a key role in cybersecurity protection and passwords are currently the weak link for some government agencies as well as businesses. Government agencies should adopt multilayered security technologies that include passive biometrics and behavioral analytics to detect non-human behavior both at the server and the endpoint. This allows these types of attacks to be quickly identified and mitigated even as bad actors change their strategy. These passive biometrics technologies also help verify that the right user is accessing the environment without requiring additional authentication steps, putting agencies back in control one step ahead of the bad actor.”

Of course, the best solution might be getting rid of common passwords and weak passwords entirely. Some organizations in the United States, for example, have lists of “banned passwords.” Others institute rigorous rules for password generation – such as requiring that they be of a certain length or include a certain type of keyboard character – so that they are not easy to guess. It’s for this reason that the Department of Homeland Security warned against using common or easily guessed passwords.

Beware the changing tactics of hackers

The types of attacks carried out by hackers continue to evolve. For example, one popular option now is known as the social engineering attack. Unlike a password spraying attack, which can be carried out on just about any target organization, a social engineering attack is based on certain “insider knowledge” of the organization. If you know the chain of command within a certain business unit, you can then send out emails to specific individuals with just enough information to convince someone to click on a certain link, or to download a piece of malware disguised as a business document. Once you gain access to the email account of a top executive, it’s then possible to circumvent additional layers of security and carry out phishing attacks with any compromised accounts.

Citrix was unaware of password spraying attack for six months until FBI alerted them. #cybersecurity Click to Tweet

At the end of the day, security needs to be a dynamic, not static, process. If you use passwords, then make sure you use multifactor authentication. And, whatever you do, try to eliminate the amount of time it takes to discover a new attack. In the case of Citrix, for example, hackers had unauthorized access to enterprise networks for six months. In that time, hackers might have been able to walk away with a significant amount of intellectual property or sensitive business documents. At the very least, make sure that your organization removes the weakest link in any security system: weak passwords.


Leave a Reply

Please Login to comment
Notify of

Follow CPO Magazine