Password Spray Attacks are on the Rise—Here’s How to Defend Yourself

Following close on the heels of Midnight Blizzard’s successful breach of Microsoft via an unsophisticated password spray attack, Cisco and Okta are now warning customers of large-scale password spray attacks targeting VPN, SSH, and Okta services with commonly used login credentials.

Both Okta and Cisco have reported an unprecedented global increase in the number of credential stuffing and brute-force attacks since March and have advised organizations to take defensive action.

The surge of password spray attacks are originating from a range of proxies, including TOR exit nodes and residential proxy networks. This is because many off-the-shelf password spray (or credential stuffing) tools are capable of using large lists of compromised credentials (sold as “combo lists”) to automatically launch password sprays via residential proxy networks, or the TOR network. This allows attackers to rotate through different IP addresses every few requests to evade rate limits.

The requests originate from residential ISPs and constantly change, which means they are difficult to stop because locking entire residential IP ranges would prevent real users from authenticating. Similarly, they can also present a rotating range of real user agents to effectively blend in with legitimate requests.

Read on for more context on this latest wave of identity-based attacks and the best security strategies to defend against them.

What are residential proxies and why do they pose so much risk?

Link copied

Residential proxies are a collection of devices that can be used as a paid service to route traffic out of residential or mobile connections, making the traffic almost impossible to distinguish from that of real users. In some cases, the services offer the ability to proxy traffic from a choice of geolocations down to a city level, as well as a choice of ISPs. This allows an attacker to circumvent geolocation controls and avoid tripping impossible travel detections.

Residential proxy networks often don’t share how they build their network of residential IP addresses, which can be used to proxy traffic through. However, previous research by BeyondTrust has found that these networks can include malware infested devices on home networks, illegally co-opted with access sold on the dark web. They can also be built by seemingly legitimate companies providing SDKs to developers to monetize “free” apps and software, providing revenue in exchange for using the end user’s device as a proxy exit. The latter provides an important reminder to read the small print on free apps and free VPN services before installing.

How privilege amplifies the password spray problem

Link copied

While password spraying attacks are not new, the increased complexity of modern hybrid IT systems means it is not easy to see which associated privilege escalation pathways an identity has when it is under attack. This opens up the enterprise to substantial risk.

The recent Midnight Blizzard breach of Microsoft provides a good example of this. During the attacks on Microsoft, a non-production test tenant account was compromised via password spraying. Presumably, this account wasn’t considered “privileged” or representing significant risk because it was in a test tenant, and it also did not have multifactor authentication (MFA) enabled.

However, there was an unprotected privilege escalation pathway from the compromised test account right through to the inboxes in the corporate environment because:

1. The compromised account had ownership of a legacy OAuth test application, and
2. That application had elevated access to the Microsoft corporate environment.

Similarly, you might encounter a password spray attack against an account in Okta. Even if the user isn’t an Okta Super Admin, the compromise could provide access to a variety of the systems, roles, and privileges available to that user’s identity and SSO. This is why it is vital to understand all the paths to elevated access.

How to prevent identity & account compromise

Link copied

While use of residential proxies makes it harder to stop password spray attacks, here are some key steps that can help prevent the attackers from succeeding:

• Use strong MFA – Ideally FIDO2 or factors that are more difficult to spoof, compromise, or socially engineer.
• Focus on privilege – Least privilege is a highly effective strategy to not only reduce the chances of compromise in the first place, but also to minimize the impact of an account’s compromise. Think about how you control access to privileges and privileged accounts, as well as how you can reduce unnecessary privileges.
• Beware of sleeper agents – A number of threat actors have been highly successful targeting dormant or abandoned accounts. Some adversaries even exploit MFA self-enrolment workflows to set up attacker-controlled MFA after a successful password spray. Ensuring you have good hygiene around identities and removing unused or orphaned accounts is key in maintaining a strong identity security posture.
• Enforce per user account lockouts to prevent sustained password sprays against one account from multiple IP addresses.
• Password policy – Don’t make it easy for the attackers. Block the use of common passwords and enforce long and strong passwords where possible. Threat actors will make use of online credential breaches, so educate users not to reuse passwords they have used for other websites, devices, tools, or applications.

Protect your identities with Identity Security Insights®

Link copied

Since its launch last year, BeyondTrust’s groundbreaking Identity Security Insights® product has helped our customers boost their Identity Security posture and neutralize a range of threats—including multiple password spray attempts against accounts that control critical business systems.

Using connectors to pull in data from across the identity fabric, Identity Security Insights empowers you with a clear view of the bigger picture so you can focus on what matters most: the paths to escalate privilege that attackers seek to exploit.

Our customers also rely on Identity Security Insights to proactively harden their security posture, with clear recommendations that put risks in context. This empowers them to effectively prioritize and mitigate risks to stay ahead of attacks. For example, Identity Security Insights will alert you when accounts are dormant, have stale passwords, allow blank passwords, or don’t have MFA enabled, all within the context of privilege. By addressing these vulnerabilities, you can substantively reduce your identity attack surface and minimize the risk imposed by this latest wave of password spray attacks.

With a cohesive view of identities, accounts and privileges across your identity estate, Identity Security Insights is also uniquely positioned to detect key indicators of compromise, such as:

• A password spray attack immediately followed by a successful auth
• A privileged account logging in using a known proxy or TOR exit node
• An admin account having MFA factors reset or removed
• Changes to critical identity infrastructure
• Unusual granting of privilege to a new account.

Identity Security Insights uses machine learning to uncover behavioral anomalies (i.e. previously dormant accounts suddenly being used subsequent to a password spray), and other events that help you quickly discover and contain identity threats. This puts you in the best position possible to detect and respond to a wide range of identity threats—even when they utilize residential proxy networks to evade other defenses.

Securing identities can help neutralize modern cyber threats

Link copied

Regardless of the threat actor, or the origin of an attack, if you can control and secure identities and reduce the attack surface, then you can stop or neutralize most modern cyber threats.

Get a complimentary identity security assessment powered by Identity Security Insights, or contact us today to learn more about unmasking identity-based attacks across your environment.