Penetration testers, or ethical hackers, use the same tactics, techniques, and practices (TTPs) as cyber attackers, but on behalf of an organization to identify vulnerabilities to be remediated before the bad guy gets to them. A password spray attack is a common way our pen testers infiltrate networks; so much so that we feel it's important to call attention to this technique.
In this Q&A session, Avertium's Michael Berardi answers questions about password spraying and what can be done to protect against this type of cyberattack.
Michael Berardi: A password spray attack is a method where a bad actor tries to gain account access by presenting one password - usually commonly used ones - against a large number of usernames. Spreading these attempts allows the attack to stay below the threshold that would trigger a security alert.
Password spraying is different from a typical brute force or dictionary attack. With those, an attacker presents a large number of passwords to one username in rapid succession.
An example of a password used in a spray attack is “Spring2020!”. This password meets most complex requirements, is easy enough to remember, and is easily rotated by replacing the season every 90 days. The larger the organization the more likely it is that someone would use this password.
Michael Berardi: If a password spray is successful and multi-factor authentication is implemented, then a user may be prompted to enter a code or request a push. This is difficult to bypass outside of a hopeful push request, but second-factor “token” vendors such as Okta often provide the geographic location when a push request is presented.
Ideally, the request for an additional authentication factor is made whether the entered password is correct or not. However, if that factor is only requested when the entered password is correct, the attacker has, by default, learned the password. Some call this form of authentication multi-step.
If an organization is using the texting services of a telecommunication carrier, i.e. SMS, it’s not that difficult to “clone” the target’s phone by SIM swapping. If the targeted account belongs to someone with elevated privileges or with access to valuable or critical assets, the effort to perform that cloning may be rewarded.
Related Reading: Social Engineering Q&A: How to Strengthen Your Weakest Link
Michael Berardi: If a user has a common password, it raises the likelihood that the user may be reusing the same password on other types of accounts such as email. Or if a single sign-on (SSO) is utilized, then that password can be “stuffed” or reused in other systems that might not have multi-factor in place. Open-source intelligence (OSINT) can help discover additional or third-party systems where SSO is utilized.
The possibility of multifactor authentication either not being in place on a system or configured for all users could lead to the exposure of sensitive data or be the first step in compromising a system.
Michael Berardi: Disgruntled insiders and the rogue devices placed on your network are still a potential risk. Industry leaders have blogged about external attacks against Exchange OWA portals with password spraying attacks. Unfortunately, the same attack can be performed against an exchange server on the internal network. Other systems that utilize LDAP, SSO, among others may still be a target.
Michael Berardi: Not necessarily. Email addresses can provide a template for the name of the domain and usernames. Getting access to a company directory allows the attacker to build a set of probable usernames.
There are lots of articles on how to enumerate usernames through open-source intelligence. For example, a successful attack through a combination of vulnerabilities may lead to the exfiltration of usernames.
Learn how NIST password guidelines apply to better password management at your company. Download our executive brief.
Michael Berardi is an Avertium security analyst. As a member of the security assessments team, Michael performs penetration tests to help customers identify cybersecurity vulnerabilities. Michael has more than ten years of experience in the technical field and focuses on providing Avertium customers with clear and concise information to help them show no weakness.