What is Password Spraying Attack and How to Stop it?

What is Password Spraying?

Password spraying is a common technique in which hackers attempt to use a single password to access multiple user accounts, bypassing account lockout protocols. By testing multiple user accounts with a single password, hackers can quickly identify and gain access to vulnerable accounts. The most common passwords found in compromised accounts are often simple and obvious, such as single words or number combinations. Password spraying attacks are often launched against cloud-based applications and organizations using federated authentication, which makes them particularly vulnerable to these types of attacks.
Hackers may also use password spraying as part of targeted attacks against specific organizations, using compromised accounts to gain access to additional email lists and ultimately exploit more user accounts. The use of automated tools makes it easy for hackers to conduct large-scale password spraying attacks, and the consequences of a successful attack can be severe, including data breaches and unauthorized access to sensitive information.

Common Signs of a Password Spraying Attack

A password-spraying attack can be identified by a series of suspicious login activity patterns:

• One warning sign is an unusually high volume of login attempts within a short period of time, indicating a potential attacker is trying to breach your system.
• Another indicator is unusual login attempts from previously inactive or even nonexistent accounts, which suggests an attacker is trying to gain access to a larger range of users.
• Additionally, a sharp spike in the number of failed login attempts from active users may also be a sign of a password-spraying attack, as the attacker is trying to guess the passwords of valid users.

How do Password Spraying Attacks Differ from Other Password Attacks?

Rather than targeting specific accounts and devices, a password spraying attack will target as many different accounts as possible and do so in a slow and controlled manner. Many IT systems will have primitive solutions in place to detect and block multiple failed logon attempts. By attempting to login to multiple accounts slowly and continuously, the attacker is less likely to get locked out of an account. As with other password attack vectors, once the attacker has gained access to an account, they will try to use their access to engage in reconnaissance activities in order to move laterally throughout the network.

Why Password Spraying Is Considered a Brute Force Attack

Password spraying is considered a type of brute force attack because, even though it is using a single password, it is still trying to gain access to multiple accounts by attempting to log in to each account with the same password.

In a traditional brute force attack, the attacker tries to guess a password by attempting a series of different passwords. With password spraying, the attacker is using a single password, but it is trying to gain access to multiple accounts with that password.

The term “brute force” refers to the fact that the attacker is using a brute force approach, in which they are trying a large number of different combinations of passwords (or in this case, a single password) in an attempt to gain access to the account. This is in contrast to a more targeted approach, in which the attacker would use more specific information about the account or the user to attempt to gain access.

It is worth noting that password spraying is often more successful than traditional brute force attacks because it is more likely that the attacker will be able to gain access to at least one account with the same password. Additionally, password spraying is often more difficult to detect than traditional brute force attacks because it is not as obvious that the attacker is using the same password for all of the accounts.

How Password Spraying Affects Business

A password spraying attack can occur at multiple levels of a business, compromising both customer accounts and new employee business accounts. If successful, this attack can lead to a range of severe consequences, including the use of stolen customer information for credential stuffing across other websites, the infiltration of a new employee’s business account, and the elevation of privileges to access sensitive and confidential business information.

The Anatomy of a Password Spraying Attack

There are typically three steps that attackers will take in order to successfully execute a password spraying attack, which includes;

1. Obtaining a list of usernames

Attackers will first try to obtain a list of usernames through various means. Companies often use a formalized convention for usernames, which is usually the users’ email addresses. For example, a commonly used email format is: firstname.lastname@company.com. Attackers can often find this information by looking for clues on the company’s website, or by browsing social media websites, such as LinkedIn. In some cases, attackers are able to purchase a list of usernames from the dark web. Attackers will typically use software that can verify the accuracy of the usernames before carrying out an attack.

2. Spraying Passwords

Once they have a list of usernames, they will obtain a list of the most commonly used passwords and begin spraying. They may also customize the list according to certain factors, such as the geographical region where the users are based, which may take into account regional dialects, popular regional sports teams/players, and so on. In order to avoid triggering any alarms, the attackers will typically wait at least 30 minutes before trying again.

3. Reconnaissance

Assuming the spraying attack was successful and the attacker now has access to one or more accounts, they will begin investigating the type of access they have, which includes which systems, data, and applications they have access to. They will also try to use their access to elevate their privileges, which typically involves exploiting software vulnerabilities, misconfigurations, or identifying any weak access controls. Given that they now have legitimate access to the network, including their “own” email account, they may also try to elevate their privileges by emailing colleagues with privileged accounts and trying to trick them into handing over their credentials. Basically, any additional information they can obtain about the network will give them a better chance of achieving their goal.

How to Prevent Password Spraying Attacks

Configure password security settings

Whichever platform you are using, make sure that you have carefully reviewed and configured any password security setting available. For example, if you are using Microsoft Azure, and you are using a cloud-only environment, you can take advantage of Azure AD Password Protection, free of charge. Azure AD Password Protection will detect and block known weak passwords, and can also block terms that are specific to your organization. Azure AD Password Protection can also work with on-premises and hybrid environments, although a license will be required in that scenario.

Carry out simulated attacks

Either carry out a simulated password spraying attack using attack simulation software or employ a third party to do it for you. This will give you a better insight into your password security posture. When testing a list of passwords, take into account any regional or industry-specific terms that your employees might use for their passwords.

Enable multi-factor authentication (MFA)

It is always a good idea to enable multi-factor authentication to ensure that a password alone is not enough to gain access to an account. If you want to be extra secure, consider implementing technology that allows for biometric or voice-activated authentication.

Use a real-time auditing solution

A real-time auditing solution will use machine learning techniques to detect and respond to anomalous events, which might include multiple failed logon attempts, or when someone tries to login to an inactive user account. As mentioned previously, some real-time auditing solutions are able to detect and respond to events that match a pre-defined threshold condition. Assuming you are aware of the conditions associated with password spraying attacks, you can specify the conditions and automate a response accordingly. This might include disabling a user account, stopping a specific process, changing the firewall settings, or shutting down the affected server.

How to Respond to a Password Spraying Attack

Assuming you have one, you will need to execute your incident response plan as soon as you have detected a password spraying attack. At the very least, your incident response plan should prompt you to take the following actions;

Change passwords

The obvious first step would be to inform all employees about the attack and ask them to change their passwords. Some argue that it is good practice to adopt a solution that can periodically and automatically remind users to reset their passwords. If you are unable to enforce the use of strong passwords, you should at least strongly encourage your employees to adhere to certain guidelines about how to create a sufficiently complex password. Alternatively, you can provide them with a password generation tool.

Update/patch all software

As mentioned previously, attackers will often try to exploit software vulnerabilities in order to elevate their privileges. As such, you must ensure that all software updates and patches are installed as soon as they become available.

Review event logs

It would be a good idea to carry out a detailed forensic investigation into the incident to ensure that you know exactly what happened, how it happened, and when. You can use the information gathered from your investigation to improve your incident response plan. If you are using a real-time auditing solution, you will be able to easily obtain this information by reviewing the event logs via an intuitive interface. Otherwise, you will need to manually review the event logs, which will be a slow and painful process. It’s worth noting that some real-time auditing solutions are able to automatically detect and respond to events that match a pre-defined threshold condition, and some may have built-in settings to help identify password spraying attacks.