In simple terms, a password spraying attack is where the attacker tries to “spray” commonly used passwords across an entire organization over a long period of time, in the hope that they can gain access to an account.
Despite the fact that 81% of hacking-related breaches are password-related, many companies are still overlooking the importance of strong password security. There are many ways that cyber-criminals are able to exploit weak or stolen credentials. The most common approach is simply brute-force-guessing passwords, which involves trying as many different password combinations as possible in order to gain access to a single account or device.
Other common techniques involve keylogger attacks, credential stuffing, phishing, and traffic interception, which are explained in more detail below.
Keylogger Attacks: This is when the attacker finds a way to install malware on the victim’s device, which records their keystrokes. The attacker will then monitor their keystrokes in order to obtain their credentials.
Credential Stuffing: These attacks are possible when the attacker is able to obtain a list of previously compromised accounts, either from the dark web or from some other source. Once they have obtained the list they will try to brute-force guess the passwords.
Phishing: Phishing attacks are when an attacker masquerades as a trusted third-party in order to trick an unsuspecting victim into handing over their credentials. This is typically achieved by sending the victim a link to an illegitimate login page, which looks like one they are familiar with. The attacker will then monitor and extract the credentials entered into the login form.
How do Password Spraying Attacks Differ from Other Password Attacks?
Rather than targeting specific accounts and devices, a password spraying attack will target as many different accounts as possible and do so in a slow and controlled manner. Many IT systems will have primitive solutions in place to detect and block multiple failed logon attempts. By attempting to login to multiple accounts slowly and continuously, the attacker is less likely to get locked out of an account. As with other password attack vectors, once the attacker has gained access to an account, they will try to use their access to engage in reconnaissance activities in order to move laterally throughout the network.
The Anatomy of a Password Spraying Attack
There are typically three steps that attackers will take in order to successfully execute a password spraying attack, which includes;
1. Obtaining a list of usernames
Attackers will first try to obtain a list of usernames through various means. Companies often use a formalized convention for usernames, which is usually the users’ email addresses. For example, a commonly used email format is: email@example.com. Attackers can often find this information by looking for clues on the company’s website, or by browsing social media websites, such as LinkedIn. In some cases, attackers are able to purchase a list of usernames from the dark web. Attackers will typically use software that can verify the accuracy of the usernames before carrying out an attack.
2. Spraying Passwords
Once they have a list of usernames, they will obtain a list of the most commonly used passwords and begin spraying. They may also customize the list according to certain factors, such as the geographical region where the users are based, which may take into account regional dialects, popular regional sports teams/players, and so on. In order to avoid triggering any alarms, the attackers will typically wait at least 30 minutes before trying again.
Assuming the spraying attack was successful and the attacker now has access to one or more accounts, they will begin investigating the type of access they have, which includes which systems, data, and applications they have access to. They will also try to use their access to elevate their privileges, which typically involves exploiting software vulnerabilities, misconfigurations, or identifying any weak access controls. Given that they now have legitimate access to the network, including their “own” email account, they may also try to elevate their privileges by emailing colleagues with privileged accounts and trying to trick them into handing over their credentials. Basically, any additional information they can obtain about the network will give them a better chance of achieving their goal.
How to Respond to a Password Spraying Attack
Assuming you have one, you will need to execute your incident response plan as soon as you have detected a password spraying attack. At the very least, your incident response plan should prompt you to take the following actions;
The obvious first step would be to inform all employees about the attack and ask them to change their passwords. Some argue that it is good practice to adopt a solution that can periodically and automatically remind users to reset their passwords. If you are unable to enforce the use of strong passwords, you should at least strongly encourage your employees to adhere to certain guidelines about how to create a sufficiently complex password. Alternatively, you can provide them with a password generation tool.
Update/patch all software
As mentioned previously, attackers will often try to exploit software vulnerabilities in order to elevate their privileges. As such, you must ensure that all software updates and patches are installed as soon as they become available.
Review event logs
It would be a good idea to carry out a detailed forensic investigation into the incident to ensure that you know exactly what happened, how it happened, and when. You can use the information gathered from your investigation to improve your incident response plan. If you are using a real-time auditing solution, you will be able to easily obtain this information by reviewing the event logs via an intuitive interface. Otherwise, you will need to manually review the event logs, which will be a slow and painful process. It’s worth noting that some real-time auditing solutions are able to automatically detect and respond to events that match a pre-defined threshold condition, and some may have built-in settings to help identify password spraying attacks.
How to Prevent Password Spraying Attacks
Configure password security settings
Whichever platform you are using, make sure that you have carefully reviewed and configured any password security setting available. For example, if you are using Microsoft Azure, and you are using a cloud-only environment, you can take advantage of Azure AD Password Protection, free of charge. Azure AD Password Protection will detect and block known weak passwords, and can also block terms that are specific to your organization. Azure AD Password Protection can also work with on-premises and hybrid environments, although a license will be required in that scenario.
Carry out simulated attacks
Either carry out a simulated password spraying attack using attack simulation software or employ a third party to do it for you. This will give you a better insight into your password security posture. When testing a list of passwords, take into account any regional or industry-specific terms that your employees might use for their passwords.
Enable multi-factor authentication (MFA)
It is always a good idea to enable multi-factor authentication to ensure that a password alone is not enough to gain access to an account. If you want to be extra secure, consider implementing technology that allows for biometric or voice-activated authentication.
Use a real-time auditing solution
A real-time auditing solution will use machine learning techniques to detect and respond to anomalous events, which might include multiple failed logon attempts, or when someone tries to login to an inactive user account. As mentioned previously, some real-time auditing solutions are able to detect and respond to events that match a pre-defined threshold condition. Assuming you are aware of the conditions associated with password spraying attacks, you can specify the conditions and automate a response accordingly. This might include disabling a user account, stopping a specific process, changing the firewall settings, or shutting down the affected server.