Last month news emerged that Iranian-linked hacker group IRIDIUM had breached US multinational software company Citrix, whose solutions are used by 98% of the Fortune 500. The hackers stole 6 TB of data from the enterprise’s internal network – a feat which could compromise hundreds of thousands of Citrix’s client organisations. Emails, blueprints and sensitive business documents were all stolen. So how did IRIDIUM – a group that has hit more than 200 government agencies, fuel firms and technology companies – execute the attack? Well, the FBI said the hackers probably gained a foothold using a method called password spraying, which capitalises on security’s eternal foe: the weak password. Once the attackers had compromised Citrix employee accounts, they were able to circumvent additional security layers with ease.
Since the news broke, Citrix has been working with cybersecurity firm Resecurity to tighten its network. But while that’s a step in the right direction, there is no reversing the damage already done; damage that good basic security hygiene could have prevented.
Perhaps most concerning is that, despite the mass hysteria induced by this breach, password spraying is not a new, or even uncommon, tactic. For as long as humans have used passwords (that’s at least as far back as Ancient Rome), adversaries have tried to guess them. And password spraying is just another guessing game.
In summer of 2018 the UK’s NCSC even issued a warning about the tactic. The agency described password spraying as a ‘common’ attack, ‘whereby lists of a small number of common passwords are used to brute force large numbers of accounts’. It stated that such attacks are successful because for any large set of users, a small number will use common, easily cracked passwords.
The NCSC carried out research to determine how vulnerable certain organisations are to password spraying; it found that 75% had accounts with passwords that featured in the top 1,000 passwords, while 87% had accounts with passwords that featured in the top 10,000. Worrying figures indeed.
Beyond using strong passwords (such as a combination of three random words) to minimise risk, the NCSC recommends that organisations action the following:
- Configure protective monitoring over externally-reachable authentication endpoints to look for password spraying attacks
- Deploy alternatives to passwords where possible
- Enforce multi-factor authentication on externally reachable authentication endpoints
- Regularly audit passwords against common password lists
Microsoft also released guidelines on how to defend against password spraying and pinpointed Mailsniper as a popular toolkit used to execute such attacks. Among the software giant’s suggestions were the use of cloud authentication and banning weak passwords.
If you want to learn more about reducing the risk of password spraying attacks, there’s no better place than our password spraying lab, where you can develop skills in a real-world environment.