Microsoft warns over uptick in password spraying attacks – ZDNet

State-sponsored hackers and cyber criminals are going after identities with password spraying, a low-effort and high-value method for the attacker, says Microsoft’s Detection and Response Team (DART).
By | October 27, 2021 | Topic: Security
Cyber attackers aren’t just looking for software flaws, supply chain weakness, and open RDP connections. The other key asset hackers are after is identities, especially account details that will give them access to other internal systems.
CISA earlier this year warned that the suspected Kremlin-backed hackers behind the SolarWinds attacks were not just trojanising software updates, but also password guessing and password spraying administrative accounts for initial access.
The best cybersecurity certifications
Cybersecurity certifications can help you enter an industry with a high demand for skilled staff.
Read More
More recently, Microsoft observed an emerging Iranian hacking group using password spraying against Israeli and US critical infrastructure targets operating in the Persian Gulf. 
SEE: Ransomware: Industrial services top the hit list – but cyber criminals are diversifying
Microsoft estimates that more than a third of account compromises are password spraying attacks, even though such attacks have a 1% success rate for accounts, unless organisations use Microsoft’s ‘password protection’ to avoid bad passwords
“Instead of trying many passwords against one user, they try to defeat lockout and detection by trying many users against one password,” Microsoft explained last year. That approach helps avoid rate limiting, where too many failed password attempt results in a lockout. 
Microsoft’s Detection and Response Team (DART) has outlined two main password spray techniques, the first of which it calls ‘low and slow’. Here, a determined attacker deploys a sophisticated password spray using “several individual IP address to attack multiple accounts at the same time with a limited number of curated password guesses.”
The other technique, ‘availability and reuse’, exploits previously compromised credentials that are posted and sold on the dark web. “Attackers can utilize this tactic, also called ‘credential stuffing,’ to easily gain entry because it relies on people reusing passwords and usernames across sites,” Microsoft explains.
Legacy and unsecured authentication protocols are a problem because they can’t enforce multi-factor authentication. Attackers are also focussing on the REST API, says DART. Top applications targeted include Exchange ActiveSync, IMAP, POP3, SMTP Auth, and Exchange Autodiscover.
“Recently, DART has seen an uptick in cloud administrator accounts being targeted in password spray attacks,” Microsoft notes.   
Extra care should also be taken when configuring security controls for roles such as security admins, Exchange service admins, Global admins, Conditional Access admins, SharePoint admins, Helpdesk admins, Billing admins, User admins, Authentication admins, and Company admins. High-profile identities such as C-level execs or specific roles with access to sensitive data are also popular targets, says Microsoft.
Microsoft this week warned that the SolarWinds hackers, a.k.a. Nobelium, were employing password spray attacks on new targets, primarily against managed service providers that have been delegated admin access by upstream customers.
SEE: Ransomware: Looking for weaknesses in your own network is key to stopping attacks
Microsoft found that Nobelium was “targeting privileged accounts of service providers to move laterally in cloud environments, leveraging the trusted relationships to gain access to downstream customers and enable further attacks or access targeted systems.”
The attacks are not the result of a product security vulnerability, Microsoft stressed, “but rather a continuation of Nobelium’s… dynamic toolkit that includes sophisticated malware, password sprays, supply chain attacks, token theft, API abuse, and spear phishing to compromise user accounts and leverage the access of those accounts.”
DART offers some handy tips to help shape the course of an investigation, such as determining whether the spray attack was successful on at least one account, determining which users were affected, and whether admin accounts were compromised.
By | October 27, 2021 | Topic: Security
iPhone-to-Android switchers: WhatsApp can now transfer chat to new Pixel and Galaxy phones
Windows 10
Windows 10 users get PC Health Check app for diagnostics and troubleshooting
AWS wins deal to store UK spy agencies’ work, brings AI to the table
Ransomware has proliferated because it’s ‘largely uncontested’, says GCHQ boss
Please review our terms of service to complete your newsletter subscription.
You agree to receive updates, promotions, and alerts from You may unsubscribe at any time. By joining ZDNet, you agree to our Terms of Use and Privacy Policy.
You agree to receive updates, promotions, and alerts from You may unsubscribe at any time. By signing up, you agree to receive the selected newsletter(s) which you may unsubscribe from at any time. You also agree to the Terms of Use and acknowledge the data collection and usage practices outlined in our Privacy Policy.
Not upgrading to iOS 15? Then you need to install this update now
Security patches are here for people who have chosen to stay on iOS 14 instead of upgrading to iOS 15.
Linux Foundation: confidential computing market to reach $54 billion in 2026
A new report from the Linux Foundation and Confidential Computing Consortium is predicting widespread adoption of confidential computing.
Weeks early: Adobe dumps massive security patch update
The security update targets 14 products.
Break into the elite field of cybersecurity by learning Risk Management Frameworks
If you’ve been wondering how to leverage your advanced IT skills to begin a whole new career in cybersecurity, now you can start with a single niche and move up from there. …
These phishing emails use QR codes to bypass defences and steal Microsoft 365 usernames and passwords
QR codes have less chance of being picked up by cybersecurity defences than links or attachments — and cyber criminals are trying to exploit them.
Meet Balikbayan Foxes: a threat group impersonating the Philippine gov’t
The gang is also taking advantage of COVID-19 to propagate Trojan malware.
QuintessenceLabs raises AU$25m to take quantum-based cyber solutions global
Australia’s QuintessenceLabs plans to grow its US headcount and broaden its geographic reach.
FCC kicks China Telecom out of United States
Chinese telco given 60 days to stop providing domestic and international services.
Australia launches new initiative for blocking scam government texts
2,500 scam texts were blocked in 12 months as part of the government initiative’s pilot program.
© 2021 ZDNET, A RED VENTURES COMPANY. ALL RIGHTS RESERVED. Privacy Policy | Cookie Settings | Advertise | Terms of Use