Cyber attackers aren’t satisfied with just exploiting software flaws, supply chain weakness and RDP connections. They want to go after identities, your account details to be precise, those accounts that will allow them to access more business systems.
Earlier in the year CISA warned that the suspected Kremlin-backed hackers behind the SolarWinds attacks used not only trojan software updates but also password spraying and guessing to access administrative accounts.
Meanwhile, an emerging Iranian hacking group also used password spraying against Israel and the US critical infrastructure targets operating in the Persian Gulf, in a more recent attack observed by Microsoft.
The success rate of compromising account by password spraying attacks are estimated at more than a third, according to Microsoft, yet these attacks only have a 1% success rate for accounts. Certainly, not even 1% if an organisation uses Microsoft’s ‘password protection’ to avoid bad passwords.
To initiate a password spraying attack hackers try to defeat lockout and detection by trying many users against one password, rather than trying many passwords against one user. In other words, they avoid too many failed passwords attempts and consequently a lockout of the account.
And the Microsoft’s Detection and Response Team (DART) say there are two main password spray techniques:
- Low & Slow – an attacker deploys “a sophisticated password spray using “several individual IP address to attack multiple accounts at the same time with a limited number of curated password guesses.”
- Availability and Reuse – an attacker “exploits previously compromised credentials that are posted and sold on the dark web.” This tactic can work as people generally reuse passwords and usernames on many different sites.
Because they can’t enforce multi-factor authentication legacy and unsecured authentication protocols are a problem. Attackers are also focussing on the REST API, says DART.
The top applications targeted include:
- Exchange ActiveSync
- IMAP
- POP3
- SMTP Auth
- and Exchange Autodiscover
And when configuring security controls for roles like
- security admins
- Exchange service admins
- Global admins
- Conditional Access admins
- SharePoint admins
- Helpdesk admins
- Billing admins
- User admins
- Authentication admins
- Company admins
- High-profile identities such as C-level execs
- or specific roles with access to sensitive data
Extra care should be taken with these accounts because they have access to sensitive data. And Microsoft say these accounts are obviously popular targets then with hackers. To understand the basics Small business cybersecurity tips.
Microsoft warned this week about the password spray attacks on new targets, predominantly MSP (Managed Service Providers) that have admin access delegated to them by upstream customers. All instigated by the SolarWinds hackers, a.k.a. Nobelium.
To clarify, Nobelium was “targeting privileged accounts of service providers to move laterally in cloud environments, leveraging the trusted relationships to gain access to downstream customers and enable further attacks or access targeted systems,” according to Microsoft and their investigation.
But Microsoft emphasise that the attacks are not the result of a product security vulnerability, and due to the dynamic toolkit Nobelium has at their disposal. Items that include sophisticated malware, password sprays, supply chain attacks, token theft, API abuse, and spear phishing to compromise user accounts and leverage the access of those accounts.”
To help shape the course of an investigation, DART offers some handy tips to determine whether a spray attack was successful on at least one account, which users were affected, and whether admin accounts were compromised.
As always hackers are trying their best to exploit whatever they can, for their monetary gain. So it makes sense to ensure you at least have strong passwords and 2FA. If you want to change your office 365 password.
