Password Spray attack is not a new form of a cyber attack. But here, this may be the first article when we will discuss it in more detail. Password spray is a brute-forcing technique of using the same password but the username used varies. The purpose of this methodology is to bypass the IP address ban when wrong passwords are used in succession. The Australian Cyber Security Centre (ACSC) recently issued an advisory highlighting the password spray attacks against state-owned networks, particularly those that are operated by Australian State Universities.
The services that Australian public network offers to their users are the following: Active Directory, RDP (Remote Desktop), webmail and interface with Office365. As a byproduct Security Information and Event Management, ACSC was able to determine the high volume of user access attempts done against state-networks. The password spray attacks that ACSC staff saw includes the use of the dictionary-like database for usernames, while the password used for the brute force attempt remains the same.
ACSC discovered that the number of wrong usernames attempted to outnumber the user password during the mass brute-force attempt. Besides, the networks where such symptoms were detected uses a protocol of naming usernames, and the wrong names used during the brute-force attempt indicates that outsiders are behind the attacks instead of internal actors. Account password lock-out policy is also implemented, that means a distinct number of the wrong combination of usernames and passwords will inherently render the user account as disabled by the Active Directory authentication system. The number of account lock-out scenarios recorded was beyond normal, indicating brute-force campaign happening on the affected networks.
Series of failed login attempts were also recorded in the corresponding Office365 accounts operated by some Australian State Universities. “Standard controls in Office 365 allow any user to use PowerShell to authenticate with your Microsoft Azure services. This gives the actor an automated way to enumerate your active directory hosted on the cloud, enabling them to spray against additional accounts or using that information to craft more sophisticated spear-phishing emails,” explained ACSC security researchers.
The ACSC issued a list of recommendations in order to mitigate the password spray attacks:
1. Reset credentials of affected accounts
This is to reduce the chance that the brute-force password spray will be successful.
2. Additional access controls and hardening
Which includes password complexity requirements, password expiration policy and password lock-out policy hardening.
3. Increased alerting and monitoring
Extensive use of SNMP and other protocols available in order to check the integrity of users given access to the system. Alerts are as effective as a way for system administrators to know the status of the system. Password spray can be detected through regular monitoring of the network.
4. Enforce complex passwords as well as a strong password reset policy
Password reset should only be done in times that require it. A timed approach will increase security, given that a brute-force attack, when done in inappropriate time, will never be successful.
5. Implement multi-factor authentication (MFA) on all external access systems
The use of another device to serve as a secondary authentication besides the user’s password increases the complexity of a successful login. Anyone who knows the password cannot enter the system, as it demands the secondary login authentication provided by an MFA device.