The Microsoft Detection and Response Team (DART) observed a worrisome rise in password spray attacks targeting privileged cloud accounts.
Password spraying is a type of brute force attack where the attackers carry out brute force logins based on a list of usernames with default passwords on the application. In this attack scenario, threat actors use one password against many different accounts on the application to avoid account lockouts that would normally trigger when brute forcing a single account with many passwords.
Password spray methods ordinary used by attackers could be:
Microsoft DART researchers warn of attacks against specific cloud administrator accounts, for this reason, they highlight the importance of assessing and protecting the users with the below permissions:
“It’s important to understand the targets of the password spray to correctly determine the scope of the potential compromise. Recently, DART has seen an uptick in cloud administrator accounts being targeted in password spray attacks, so understanding the targets is a good place to start.” states Microsoft DART’s report.
Tools like the Microsoft Cloud App Security portal are very useful to check for suspicious activity, some specific alerts can allow detecting password spray attacks. Below a list of alerts to check recommended by Microsoft:
“In addition to privileged accounts such as these, identities with a high profile (such as C-level executives), or identities with access to sensitive data are also popular targets. It is easy to make exceptions to policy for staff who are in executive positions, but in reality, these are the most targeted accounts. Be sure to apply protection in a democratic way to avoid creating weak spots in configuration.” continues Microsoft.
A best practice to prevent these attacks is to enforce multi-factor authentication (MFA) across all accounts.
In January, Cybersecurity and Infrastructure Security Agency (CISA) revealed that threat actors behind the SolarWinds supply chain attack also employed common hacker techniques to compromise the networks of the targeted organizations, including password guessing and password spraying.
Researchers at Microsoft Threat Intelligence Center (MSTIC) and Microsoft Digital Security Unit (DSU) recently uncovered a malicious activity cluster, tracked as DEV-0343, that is targeting the Office 365 tenants of US and Israeli defense technology companies.
Threat actors are launching extensive password spraying attacks aimed at the target organizations, the malicious campaign was first spotted in July 2021.
“DEV-0343 is a new activity cluster that the Microsoft Threat Intelligence Center (MSTIC) first observed and began tracking in late July 2021. MSTIC has observed DEV-0343 conducting extensive password spraying against more than 250 Office 365 tenants, with a focus on US and Israeli defense technology companies, Persian Gulf ports of entry, or global maritime transportation companies with business presence in the Middle East.” reads the post published by Microsoft. “Less than 20 of the targeted tenants were successfully compromised, but DEV-0343 continues to evolve their techniques to refine its attacks.”
Microsoft provides the following mitigations to prevent password spray attacks:
(SecurityAffairs – hacking, password spraying)