Microsoft’s Detection and Response Team (DART) has issued a warning about an increase in password spraying attacks by nation-state hacking groups and cybercriminals. These attacks require little effort, and the rewards of a successful attack are high. Password spraying allows threat actors to obtain credentials, access internal systems, steal sensitive data, and install malware and ransomware.
Password spraying is a type of brute force attack that involves trying multiple passwords for a user account until the correct one is guessed. When strong passwords are set, that process can take a considerable amount of time; however, many people set weak passwords for accounts and reuse passwords on multiple accounts.
Password spraying involves using a list of usernames and commonly used passwords or passwords that have been compromised in previous data breaches and pairing them in the hope of getting the correct combination. To counter password spraying, rate limiting is often implemented, which will lock out individuals after a certain number of failed login attempts.
To get around rate limiting controls, threat actors are using a low and slow approach. Microsoft has observed threat actors using multiple IP addresses to attack multiple accounts simultaneously using a limited number of password guesses for each account, rather than trying many different passwords on one user.
Credential stuffing is also common. Data breaches are being reported more and more frequently, and usernames and passwords obtained in those breaches are often posted or sold on the dark web. Compromised credentials are collected and are used to attack multiple websites and systems in the hope that the credentials have been used on multiple platforms. Most people are guilty of password reuse, so this tactic is highly effective.
Password spraying is an easy, low-cost way of gaining access to accounts, and even sophisticated, highly skilled hackers engage in password spraying. The hacking group behind the SolarWinds supply chain attack not only exploits vulnerabilities and open RDP connections, the group has also been observed conducting password spraying attacks to gain access to administrative accounts. Microsoft said Iranian nation-state hackers have been conducting password spraying attacks on US and Israeli companies operating in the Persian Gulf.
Password spraying is effective and incredibly common. Microsoft said that while password spraying has a low success rate of around 1%, more than a third of Microsoft account compromises are due to password spraying attacks.
There are easy ways of improving security and protecting accounts against password spraying attacks. One of the most effective ways is also the simplest – Ensure a complex, unique password is used on every account. In practice, this is far from ideal, as most people have several dozen accounts and remembering complex passwords for each is almost impossible without writing them down.
The solution is to use a password manager. A password manager, Bitwarden for example, can be configured to suggest complex, unique passwords for all accounts and will store them securely in an encrypted password vault. When a user visits a site that has a password set, it will be automatically populated in the login box so passwords will never need to be remembered. All a user needs to do is set one complex, unique, and memorable password for their password vault. The best practice is to use a string of random words to form a passphrase: “golf horse automated hijacker” for instance.
In addition to setting strong and unique passwords, multifactor authentication should be implemented whenever possible. In the event of a password being guessed, a second authentication factor must be provided before access to the account will be granted. Microsoft said 99.9% of automated attacks on Microsoft accounts will be blocked by using multifactor authentication.