Password Spraying is a type of brute force attack where hackers look to avoid session lockouts by trying the same password against multiple accounts. Many accounts have lockout policies, so after several different attempts in a short period of time, the account is locked out. By targeting a large number of accounts with the same simple password e.g. Winter22 or Password22, hackers can avoid lockouts by increasing the gap between attempts on the same account.
This technique also allows threat actors to remain undetected as spikes in user lockouts can look suspicious to any monitoring tools that the organisation may have implemented. Hackers do not need a direct list of usernames or emails in order to facilitate password spraying. Once they have a singular login, which could be found via an open source such as a company website or an industry directory, they can apply this to a number of different employees that could easily be obtained from LinkedIn.
Cybaverse used the information found at Lapland Industries Christmas Party to complete a Password Spraying exercise on one of their main project management and ERP systems, Christmas 365. 3,000 accounts were obtained, and over a 24-hour period, 200 password attempts were tried against user accounts at Lapland Industries. This could be much more, but throttling and sporadic attempts were made to try and avoid any security solutions. Four were successful across different administrative levels and departments in the company.
However, Christmas 365 was cloud based and therefore Cybaverse were unable to access the Naughty or Nice List.
There are several different ways to protect your organisation from Password Spraying attacks.
One of which is to enable any active directory password protection offered by providers. Many software providers offer password protection to stop accounts from using easy to guess passwords in the first place. In some cases, you can create your own list of words that are not allowed to be used, such as days, months, seasons, colours and company names. You can also extend this to consecutive numbers, banning the use of 123, for example.
Regular Penetration Testing will help highlight vulnerabilities in your systems. Password Spraying is often used in Penetration Tests to ensure that all users use strong passwords. Even if Multi Factor Authentication is used, other Vishing or Social Engineering attempt scan be used to gain access.
Another way to protect your business from Password Spraying attempts is to remove passwords all together. There are now solutions in place that let accounts authenticate using biometrics and a physical device. Eliminating the risk of Password Spraying altogether.
Other types of credential-based hacks that organisations should be aware of are:
Cybaverse updated Mr and Mrs Claus on their findings and offered some immediate advice on how to avoid Password Spraying attacks in the future. The next step in the Red Team was to gain physical access to Santa’s Workshop. Tomorrow, Cybaverse look to complete some reconnaissance work on a physical security breach.