On January 19th, Microsoft released a blog post acknowledging a successful cyber attack by a Russian nation-state threat actor that leveraged password spraying as the initial attack vector. While relatively simple, password spraying attacks can be highly effective and are leveraged by threat actors ranging from unskilled cybercriminals to advanced nation-state threat actors. The recent attention on password spraying attacks makes now a good time to take a look at what they are, how they get their data, and how best to mitigate them.
At their core, password spraying attacks are a subset of brute force attacks. However, while most people associate brute force attacks with trying numerous passwords against a single account in an attempt to force their way in (a “many-to-one” approach), password spraying attacks use one password against a series of accounts (a “one-to-many” approach). That’s not to say that a password spraying attack will only leverage one password… it may cycle through a series of passwords across many accounts over time, but threat actors conducting password spraying attacks are often seeking to avoid rate limiting controls (the number of times you can attempt to log in to an account within a certain time period before being locked out and/or setting off alerts) so they will limit their tries before moving on. The goal here is to gain access to a system using legitimate credentials.
In order to conduct password spraying attacks, a threat actor needs two things: 1) a valid username and 2) a valid password. Usernames can be sourced via previously exposed data or by conducting reconnaissance against the targeted organization on social media to identify existing employees and, if possible, the format of the victim organization’s email addresses.
The passwords used in password spraying attacks are often pulled from previous breaches that have either been released publicly or bought directly from an initial access broker or other cybercriminal. The threat actor will then compile and use these to identify the most commonly used passwords to provide a starting point for the password spraying. Often using a bot, the threat actor will then work down the list of passwords, attempting a single password against multiple accounts over a range of time until they are blocked, give up, or gain access to the victim’s network. If they gain access to the victim’s network and multi-factor authentication (MFA) isn’t in place, they are off to the races.
Now let’s take a look at how to protect yourself. Of course, since many of the passwords used in these attacks were previously exposed or are common passwords, using a complex and unique password for every account is critical. As noted above, MFA provides another layer of defense in the event a threat actor is able to successfully match a legitimate username and password. Organizations can also defensively monitor for password spraying attempts by looking for login failures on multiple accounts from the same IP address within a set timeframe. As we’ve seen, the use of these password spraying attacks by cybercriminals, nation-states, and virtually every other type of threat actor out there underscores the importance of taking steps to protect yourself and/or your organization from this tactic.
