Many of you may be on the US-Cert alert e-mail list, but I suspect many of you are not. Since most all of you have Internet-facing devices, or even more likely cloud-based applications (Office 365 / Google Apps, at least), I wanted to make certain that all of our clients “heard” the message contained in this alert that was sent out early last week as this may very well impact you (or might already be impacting you).
The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have determined that malicious cyber actors are increasingly using a style of brute force attack known as password spraying against organizations in the United States and abroad.
In these attacks, instead of running an endless stream of passwords against a single account, which usually gets them locked out and discovered quickly, attackers process a single password against multiple accounts, then switch to a new password and repeat the process over and over again. It’s a much slower and thus quiet process that runs periodically until they eventually get a successful hit and gain access to an account.
What DHS has noticed is that attackers are tending to focus (although anything open to the Internet can be a target) on applications that use SSO (think services using your AD info to authenticate to any cloud application) and an easy one to target is cloud-based e-mail services. SSO is a favorite target since once they have a good set of credentials attackers have access to everything those credentials can access via the Internet.
Once they get a hit on an e-mail service they also get access to the rest of the full directory and use it to leverage additional attacks on more accounts until they find one with access to the most interesting data your environment contains. Perhaps that is student/staff records and SSN’s or something similar and then attackers exfiltrate that data out of the network for financial gain elsewhere.
To monitor for indications of this type of attack on your applications/services DHS suggests that you watch for increased attempted logins/login failures to these services in concentrated periods of time (short bursts mainly but up to as long as a 2-hour window).
They also suggest watching for successful logins from IP addresses that are not normally expected to be used by members of your organization. For instance, would it be normal / expected to log in successfully from someplace like Chile, Iran or Europe?
To protect against this type of attack, DHS suggests:
- Use of multi-factor authentication for all Internet-facing services
- Making sure all users are following strong password policies
- Making sure your helpdesk is paying attention to unusual volumes of password reset requests
Most of these suggestions are not new, at CSI we have been talking about them / suggesting them to you for the past several years. But this is just another example of why, if you have not already done so, you need to be taking action on this right now. Not doing any of this leaves your organization open to exploits via attacks that are both real and on-going right now in the wild.
For additional assistance or to discuss implementing any needed changes in your network please reach out to us.
For the full text of the US-Cert Alert you can find it here:
https://www.us-cert.gov/ncas/alerts/TA18-086A
There are also two helpful reference links in the document that I have copied out here that contain additional suggestions on:
Choosing and Protecting Passwords:
https://www.us-cert.gov/ncas/tips/ST04-002
Supplementing Passwords – MFA:
https://www.us-cert.gov/ncas/tips/ST05-012
Bob Knapp
You must be logged in to post a comment.