Password Spraying? Yep, It’s a Thing

Cyberwarfare has continued to evolve in sophisticated ways, and while security researchers try their best to keep up, hackers are always trying to outdo them. One example of such attacks, which are often sponsored by government agencies, is a recent attack on the United States and Israeli technology sectors, which have become the target of password spraying campaigns.

Password spraying is when multiple accounts are hacked into using commonly used passwords. Hackers spam these passwords in an attempt to break into these accounts. These attacks also involve variations of these commonly used passwords, and considering how often this happens, it’s not surprising to see how they can be successful.

Microsoft issued a warning in regards to the aforementioned attacks involving the United States and Israeli technology sectors in which 250 Microsoft Office 365 customers became the targets of password spraying tactics. Microsoft has named this group DEV-343, the DEV in the name representing the fact that the attacks are not currently being sponsored by state actors. The group is thought to originate from Iran.

Even though less than 20 of the targets were actually compromised, it’s quite concerning to see such high-profile targets using insecure passwords. Microsoft has reported that organizations using multi-factor authentication are at much less risk than those who do not. As reported by Microsoft, security professionals should be wary of suspicious connections enabled by Tor networks: "DEV-0343 conducts extensive password sprays emulating a Firefox browser and using IPs hosted on a Tor proxy network. They are most active between Sunday and Thursday between 7:30 AM and 8:30 PM Iran Time (04:00:00 and 17:00:00 UTC) with significant drop-offs in activity before 7:30 AM and after 8:30 PM Iran Time. They typically target dozens to hundreds of accounts within an organization, depending on the size, and enumerate each account from dozens to thousands of times. On average, between 150 and 1,000+ unique Tor proxy IP addresses are used in attacks against each organization.”

You should always be familiar with the traffic on your network, as doing so will help you identify when there is suspicious activity of any kind, like when someone accesses your network at 3 AM on the other side of the world. Passwords might be important, but so too are other measures, like multi-factor authentication.

BNMC can help your business optimize security and protect itself from the many threats out there. To learn more, reach out to us at (978) 482-2020.