A recent wave of large-scale password spray attacks has cybersecurity firms scrambling to warn their clients around the world.

These attacks exploit weak credentials to gain unauthorised access to critical systems, potentially causing significant financial and reputational damage.

Password spray attacks involve automated attempts to gain access to accounts using common passwords across a large number of usernames. Attackers often leverage compromised credential lists, readily available for purchase on the dark web, to fuel their attempts. These lists compile usernames and passwords stolen from previous data breaches.

The Challenge of Residential Proxies

Traditionally, security measures have relied on blocking suspicious IP addresses to prevent unauthorised access attempts. However, attackers are increasingly employing residential proxies to circumvent these defences.

Residential proxies route traffic through individual home internet connections, making login attempts appear to originate from legitimate users. This significantly hinders detection as blocking entire residential IP ranges would disrupt real users.

The Microsoft Incident

The recent compromise of Microsoft by the Midnight Blizzard group serves as a stark reminder of the dangers posed by password spraying attacks. Attackers gained a foothold by exploiting a low-level test account lacking multi-factor authentication (MFA).

While this account may have seemed insignificant initially, it possessed access rights to a powerful application within the Microsoft environment. This access ultimately granted attackers a path to sensitive data, highlighting the potential consequences of seemingly innocuous vulnerabilities.

Protecting Against Attacks

There are a number of crucial steps businesses can take to mitigate the risk of password spraying attacks. Those steps include:

• Implement robust multi-factor authentication (MFA):
  Move beyond traditional password-based authentication and deploy strong MFA solutions. Ideally, consider FIDO2 tokens, which offer superior security compared to SMS or email-based verification methods. FIDO2 tokens are hardware-based authenticators that are more resistant to social engineering and phishing attacks.
• Enforce the principle of least privilege:
  Grant users only the minimum level of access required to perform their designated tasks. This principle minimises the potential damage if an attacker compromises a user account. For instance, a customer service representative wouldn’t require the same level of access as a network administrator.
• Maintain account hygiene:
  Regularly review user accounts and remove dormant or orphaned accounts. Dormant accounts are prime targets for attackers as they are less likely to be monitored for suspicious activity.
• Enforce account lockouts:
  Implement policies that lock accounts after a certain number of failed login attempts. This thwarts attackers from persistently attempting to guess passwords using automated tools.
• Enforce strong password policies:
  Disallow weak passwords like birthdays, pet names, or dictionary words. Enforce password complexity requirements, mandating a minimum length and a combination of uppercase and lowercase letters, numbers, and symbols. Educate users about the dangers of password reuse and encourage them to create unique, strong passwords for each account they use. Consider password managers to help users generate and store complex passwords securely.

Additionally, default usernames and their credentials should be considered as password spray attacks will often focus on well-known or default credential combinations that have never been rotated.

• Implement network segmentation:
  Divide your network into smaller segments to limit the potential damage if an attacker gains access. Network segmentation restricts an attacker’s ability to move laterally within the network and access sensitive data.

• Educate users on cybersecurity best practices:
  Regularly train employees on cybersecurity best practices, including password hygiene, phishing awareness, and the importance of reporting suspicious activity. Employees are often the first line of defence against cyberattacks, and raising cybersecurity awareness can significantly reduce the risk of successful attacks.

Modern Security Solutions

Thankfully there are a number of security solutions on the market that tackle the issue of password spray attacks. When selecting a solution, make sure it has the following capabilities:

• Detect suspicious activity:
  The platform should continuously monitor for suspicious activity such as password spray attempts followed by successful logins, privileged accounts using proxies or TOR exit nodes, changes to critical identity infrastructure, and unusual privilege grants to new accounts.
• Identify behavioural anomalies:
  The best platforms will utilise machine learning algorithms to identify anomalies in user behaviour that may indicate a compromise attempt. For instance, the platform can detect situations where a previously dormant account suddenly experiences a surge in login attempts.
• Prioritise and mitigate risks:
  The platform should also prioritise identified risks based on their potential severity, allowing security teams to focus their efforts on the most critical threats. Additionally, it should provide actionable recommendations to address vulnerabilities and mitigate risks.

Password spray attacks are a growing threat, and businesses must adopt a multi-layered approach to secure their data. Implementing robust security measures, enforcing strong password policies, and educating users about cybersecurity best practices are crucial steps in the right direction.