Password Spraying attacks are hardly new. Fraudsters have long used these types of brute force attacks to confirm usernames and password (or other single-factor authentication methods) in order to steal organizations'. All they need is the following:
- An automated program such as THC-Hydra that can enumerate and/or generate usernames and commonly used passwords. With the multitude of corporate data breaches over the past few years, lists of both are readily available.
- One or more zombie machines on which to run the program. These are easily bought or discovered as part of the legion of silent-running botnets.
- For the targeted organization to run an internet-facing web server that performs user logins.
Due to the ready availability of numbers 1 and 2 above, the US Computer Emergency Readiness Team (US-CERT) recently issued an alert about the uptick in these types of attacks. With all the numerous scams and devious ways of monetizing hacking, no organization is safe today. As an example, the Verizon Data Breach Report for 2018 suggests payroll & Human Resource departments in Higher Education are targeted to order to get W-2s in order to file fraudulent tax returns. Many educational institutions are prime targets because they do not have the time and money to put into infrastructure to prevent cybersecurity attacks. Another aspect that makes them softer targets is the common practice of publishing an online directory of faculty & staff email addresses. This alone helps the hackers because they know they have good usernames to start!
These password spraying attacks are a brute force method, but they typically try to spread the attempts out over many user accounts to prevent accounts from being locked out. It boils down to a numbers game as nearly all organizations have user accounts utilizing pas
swords on the "most common passwords" lists that are publicly available. Some attacks are made directly by the zombie machine and as such the source/originating IP is clearly visible. This facet is different from DDoS attacks (which forge the return address) because the automated program must receive the response to know if the username & password were correct. Other more nefarious attacks can be indirect, such as those coming through Office 365 masquerading as Outlook or mobile email clients. The source IP of these attacks are legitimate Office 365 servers, so the IPs cannot be blocked directly.
The standard counter-measures for password spraying prevention can't be taken until you've actually determined that your organization is being attacked! Some of the symptoms include:
- Continuous Directory Lockouts – Active Directory can be configured to automatically clear/reset lockouts after a set time interval which is what the hackers are hoping for. All other things being equal, it gives them more opportunities to test.
- Sluggishness of Directory or External facing websites – If your website or directory access "feels" slower, don't just discount this. Be the person that follows up on it.
- Extra webserver logging – If your webserver writes failed logins to file or SQL, low disk space warnings can also be a harbinger of these attacks.
All of these should allow you to determine the IP address(es) originating the attacks.
Once the attack has been identified, the following standard counter-measures for password spraying prevention can help stop the bleeding. Remember to choose all that apply - "defense in depth" works:
- Vague Responses – While it's user friendly for a webserver to tell the user if it was their username or password that was incorrect (or telling them how many strikes left until their account is locked), hackers can use this info to their advantage as well. If possible, configure the application to return the same generic error message regardless of whether the username or password were bad or if the account was locked out. PortalGuard has had this feature in the Lockout tab of its Security Policy configuration for years.
- Multi-factor – This is a good catch all to ensure unauthorized access isn't possible if users' passwords are learned. However, account lockouts can still occur.
- IP Blocking – This is good for "direct" attacks. Remember that the IPs are actually compromised endpoints. If you block these at the firewall, attacks may detect this and immediately restart from a different IP. PortalGuard version 6 has new support for a "static" list of blacklisted IP addresses that replies with a generic "username or password" failed error for the indirect Office 365 attacks described earlier.
Some more advanced protections for password spraying prevention that you may have at your disposal include:
- Geolocation blocking – This may seem like a good idea, but users travel, and hackers can easily launch attacks from compromised devices in any country.
- Dynamic IP lockout – Being able to dynamically detect an anomalous number of failed requests for different users accounts and block them is a new feature in PortalGuard version 6. Administrator email notification of these newly blocked IPs can allow them to be added to the static blacklists as well.
- Require CAPTCHA – Require these on every login and you'll soon become public enemy #1 in your own organization. Most would consider this an over reach.
- Pwned Password Detection – Troy Hunt did the internet a solid by providing a website to determine if a provided password is known to hackers. In an upcoming version PortalGuard will add support for user notification of pwned passwords & force them to use a different new password.
- Require Pass Phrases – Using a sentence or phrase as a password is inherently easier to remember and more secure than a random sequence of letters, numbers and symbols. PortalGuard's Regex support can ensure new passwords contain multiple spaces.
Hopefully this introduction gives you more insight on this increasingly common attack vector. Please reach out to us if you'd like to discuss your environment in more detail and learn how PortalGuard can help protect you against these and other kinds of cyber attacks.