Cyberthreats these days bring to mind the mythological Hydra: Cut off one head, and two seem to grow in its place. The most recent examples of this phenomenon are attacks that target passwords. Traditional brute-force password attacks — in which malicious actors pummel an account with popular passwords in order to gain access — are being headed off by security measures that lock accounts after several password attempts, but now password spray attacks are rising in their place.
As these new kinds of password attacks rise in popularity, organizations will have to learn to tackle them appropriately in order to keep accounts secure.
What Is a Password Spray Attack?
What does this kind of attack look like?
In a brute force attack, hackers try several passwords on a single account, looking for a way in. In a spray attack, hackers will try one common password on multiple accounts before moving on to a second password, which allows them to stay under the radar and avoid “rapid or frequent account lockouts,” according to an alert released by the United States Computer Emergency Readiness Team earlier this year.
Moreover, this attack frequently targets “single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols,” US-CERT notes. This is because federated authentication can help to mask malicious traffic, while gaining access through SSO means maximizing the impact of a single right guess.
But these aren’t the only instances in which password spray attacks are popular. Email applications are also vulnerable, with malicious actors often seeking to gain access directly from the cloud and download user mail, which would enable them to identify the company’s entire email list. They could also change email settings to automatically forward received and sent email, gaining visibility of the organization’s entire email operation, US-CERT warns.
Spray Attacks Grow in Popularity
Password spray attacks aren’t new, but their prevalence is skyrocketing.
If successful, particularly if sensitive information is exposed, US-CERT warns that these attacks could have a major impact on an organization’s operation, including:
- Temporary or permanent loss of sensitive or proprietary information
- Disruption to regular operations
- Financial losses incurred to restore systems and files
- Potential harm to an organization’s reputation
How to Spot and Tackle Password Spray Attacks
What does it take to prevent or head off these attacks?
The first step is spotting them. According to US-CERT, warning signs include:
- Big spikes in attempted logons for SSO portals or web-based applications
- IP addresses of employee logons coming from suspicious locations
To keep these attacks from becoming successful, organizations should lay the groundwork to prevent them. In a recent blog post, Microsoft recommended these steps:
1. Use cloud authentication. The cloud can employ algorithms that can detect and block potential attacks.
2. Use multifactor authentication. This can add a layer of security to accounts that is not password-based.
3. Discourage weak passwords. By generating a list of common passwords, you can set systems to block them from use, making it that much harder for malicious actors to guess in these attacks.
The company is taking its own advice. Microsoft’s CISO Bret Arsenault recently spoke about the organization’s own efforts to mitigate these threats at Microsoft Ignite 2018. Arsenault noted that, in an attempt to discourage weak passwords, the company employed a filter that prevents users from choosing easily guessable passwords. The company also turned to multifactor authentication, which can “eliminate the blast radius” if a hacker does manage to breach an account.
“If you have a password filter, if you have MFA and if you have strong proofing, then you’re really in a great state,” Arsenault said.