A password spray attack is an attack in which an attacker uses a commonly used password list to find matching combinations of account names and passwords for many different accounts in order to obtain valid account credentials.
This method allows you to avoid the account lockout that usually occurs when brute-forcing one account with many passwords.
Commonly commonly used port management services are used in password spraying attacks. Commonly targeted services include the following.
- SSH (22/TCP)
- Telnet (23/TCP)
- FTP (21/TCP)
- NetBIOS / SMB / Samba (139/TCP & 445/TCP)
- LDAP (389/TCP )
- Kerberos (88/TCP)
- RDP / Terminal service (3389/TCP)
- HTTP / HTTP Management Service (80/TCP & 443/TCP)
- mssql (1433/ TCP
- Oracle (1521/TCP)
- MySQL (3306/TCP)
- VNC (5900/TCP)
In addition to managed services, “cloud-based applications that use single sign-on (SSO) or federated authentication protocols” and “external-facing email applications such as Office 365” can also be targeted
In the default environment, LDAP and Kerberos connections are unlikely to trigger events over SMB, creating a Windows “logon failure” event ID of 4625.
Example attack
APT28
APT28 used a brute force/password spray tool that worked in two modes. In password-spray mode, it made approximately four authentication attempts per hour against targeted accounts for days to weeks
APT33
APT33 uses password spraying to access the target system
CrackMapExec
CrackMapExec can perform brute force authentication using a provided list of usernames and a single password
Lazarus Group
Lazarus Group is malware that attempts to connect to Windows shares for lateral movement using a list of usernames generated by a combination of Administrator and other usernames and weak passwords
Leafminer
Leafminer was using a tool called Total SMB BruteForcer to perform an internal password spray
Linux Rabbit
Linux Rabbit attempted to brute-force the SSH password to gain access and install malware on the server.
MailSniper
MailSniper can be used for password splaying against Exchange and Office 365
Remedy
Account Usage Policy
Set a policy to lock out the account after a certain number of failed login attempts so that the password cannot be guessed.
If this policy is too strict, all accounts used for brute-forcing will be locked out, resulting in a denial-of-service condition and possibly rendering the environment unusable.
Multi-Factor Authentication
Use multi-factor authentication. If possible, enable multifactor authentication for externally facing services as well.
Detection
Monitors the authentication log to check for failed system or application logins by valid accounts.
In particular, it monitors a large number of authentication failures on various accounts, possibly due to password spray attempts.
Comments