What is Password Spraying?
Password Spraying is a type of brute force attack where hackers look to avoid session lockouts by trying the same password against multiple accounts. Many accounts have lockout policies, so after several different attempts in a short period of time, the account is locked out. By targeting a large number of accounts with the same simple password e.g. Winter22 or Password22, hackers can avoid lockouts by increasing the gap between attempts on the same account.
.png)
This technique also allows threat actors to remain undetected as spikes in user lockouts can look suspicious to any monitoring tools that the organisation may have implemented. Hackers do not need a direct list of usernames or emails in order to facilitate password spraying. Once they have a singular login, which could be found via an open source such as a company website or an industry directory, they can apply this to a number of different employees that could easily be obtained from LinkedIn.
Password Spraying Lapland Industries
Cybaverse used the information found at Lapland Industries Christmas Party to complete a Password Spraying exercise on one of their main project management and ERP systems, Christmas 365. 3,000 accounts were obtained, and over a 24-hour period, 200 password attempts were tried against user accounts at Lapland Industries. This could be much more, but throttling and sporadic attempts were made to try and avoid any security solutions. Four were successful across different administrative levels and departments in the company.
However, Christmas 365 was cloud based and therefore Cybaverse were unable to access the Naughty or Nice List.
Protect your business against Password Spraying
There are several different ways to protect your organisation from Password Spraying attacks.
Password protection
One of which is to enable any active directory password protection offered by providers. Many software providers offer password protection to stop accounts from using easy to guess passwords in the first place. In some cases, you can create your own list of words that are not allowed to be used, such as days, months, seasons, colours and company names. You can also extend this to consecutive numbers, banning the use of 123, for example.
Penetration testing
Regular Penetration Testing will help highlight vulnerabilities in your systems. Password Spraying is often used in Penetration Tests to ensure that all users use strong passwords. Even if Multi Factor Authentication is used, other Vishing or Social Engineering attempt scan be used to gain access.
Eliminate passwords
Another way to protect your business from Password Spraying attempts is to remove passwords all together. There are now solutions in place that let accounts authenticate using biometrics and a physical device. Eliminating the risk of Password Spraying altogether.
Other types of credential-based hacks that organisations should be aware of are:
- Credential stuffing – this is where attackers use a bot or program to predict user credentials from a single user based on the assumption that companies use the same format for all usernames, for example firstname.surname@domainname
- Dictionary attack – where threat actors systematically use all the words available to guess a password for a particular user
- Keyloggers – where hackers install a piece of spyware onto your account to monitor key strokes to format any patterns or identify passwords. Key loggers can also be used to use webcams and microphones to monitor and capture other personal information.
Next steps
Cybaverse updated Mr and Mrs Claus on their findings and offered some immediate advice on how to avoid Password Spraying attacks in the future. The next step in the Red Team was to gain physical access to Santa’s Workshop. Tomorrow, Cybaverse look to complete some reconnaissance work on a physical security breach.