Attackers wield password-spray attacks to zero-in on targets, research finds

The highly effective brute-force attack method requires little effort, Trellix said. Organizations with weak password policies or no MFA are especially at risk.


Dive Brief:

  • Password-spray attacks yielded prolific results for attackers across multiple sectors in North America and Europe during Q2 and Q3, the Trellix Advanced Research Center said in a Wednesday research report.
  • The attack surface for password-spray attacks is vast, Trellix found. Attackers commonly target cloud-based systems, including Microsoft 365, Okta, Google Workspace, VPNs, Windows Remote Desktop, AWS, Google Cloud Platform and Microsoft Azure.
  • Attackers most frequently targeted password-spray attacks at education, energy and transportation organizations during the six-month period, the report found.

Dive Insight:

Password-spray attacks aren’t just a low lift and effective brute-force attack method for threat groups, Trellix researchers said. This mode of attack is difficult to detect and attribute to threat groups because they’re often run continuously in the background at scale across broadly distributed botnets.

This low risk of detection and high return on investment gives attackers an advantage, especially when they target organizations with weak password policies or systems without multifactor authentication.

The Russia-linked threat group Midnight Blizzard gained a foothold in Microsoft’s senior executives email accounts last year after it compromised a legacy, non-production test tenant account through a password-spray attack.

Midnight Blizzard used that access to steal Microsoft executive emails and other documents. The password-spray attack began in late November and Microsoft didn’t discover the attack until Jan. 12.

Threat groups can target organizations with password-spray attacks after obtaining usernames or inferring username naming patterns and correlating that data against a list of employees, Trellix researchers said in the report.

With those account IDs, attackers can use multiple “proxy or VPN nodes to continuously try a large list of passwords against each account over a long period of time,” the report said.

MFA is routinely cited as a prevention measure against identity-based attacks. Yet, Trellix said it expects attackers to continue bypassing MFA with social engineering.

“We will likely see more automated, AI-driven/assisted methods making password-spray attacks more efficient, evasive and adaptive,” the report said.


 

Comments