• QOMPLX Knowledge
  • Apr 19, 2021
  • By QOMPLX

QOMPLX Knowledge: Detecting Password Spraying Attacks

QOMPLX Knowledge: Detecting Password Spraying Attacks

This is the latest in a series of posts we’re calling “QOMPLX Knowledge.” These posts are intended to provide basic information and insights about the attack activity and trends that are driving malicious campaigns and that QOMPLX researchers encounter in our forensic work with customers.

Much has been written about the sophistication of modern cyber criminals and state-sponsored actors. But the truth is that one of the most common and effective hacking methods is dead simple: guessing a user’s password.

Simple though it is, password guessing is its own art form -  especially when carried out at scale against a population of employees or users. Done properly, so-called “password spraying” attacks can cycle through millions of possible username and password combinations without tipping off defenders that any attacks are taking place. In this post, we’re taking a look at how QOMPLX’s technology helps customers to spot password spraying attacks and other excessive login attempts that are often an early indication that an attack is taking place.

Key Points

  • Failed login attempts are a very common activity on enterprise networks, but may also indicate malicious probes and password “spraying” attacks.
  • Automated tools allow attackers to fly below password lockout features while testing the security of hundreds or thousands of accounts.
  • Spotting password spraying attacks is critical to stopping emerging attacks in their early stages.
  • QOMPLX detects password spraying attacks by correlating login behavior from a single host and flagging automated and inauthentic login behavior.

How Password Spraying Attacks Work

Password spraying is a method of password cracking in which an attacker attempts to log in to a large number of user accounts using the same password. These attacks are a common tool for both sophisticated and unsophisticated cyber criminal groups as well as nation-state actors and are designed to gain access to- and control over a trusted user account in a target environment.

Password spraying is a cousin of so-called “brute force” password cracking attacks, but use an obverse method to those attacks. Brute force attacks attempt to crack a small set of user accounts using a long list of possible passwords, trying each password in turn until one works. In contrast, password spraying attacks take a small number of possible passwords and try them against a long list of known user accounts.

These techniques are commonly used by both cyber criminal groups and nation state attackers. Microsoft, for example, warned that the APT group Strontium relied on both brute force and password spraying in attacks targeting companies involved in the development of a COVID-19 vaccine in 2020.

The goal of password spraying attacks is to gain access to the targeted system while avoid triggering password “lockout” features on any single account, which are usually activated following a small (but configurable) number of incorrect password guesses. By moving from one account to the next, spraying attacks can steer clear of account lock-out features. At the same time, a small number of incorrect logins may not trigger suspicion among network administrators, as users commonly forget their login credentials.

Attackers can use any of a long list of free tools to conduct password spraying attacks, including the Metasploit SMB Login module, Medusa, Hydra, BurpSuite and Crackmapexec. Attackers can simply feed files containing usernames and passwords to these tools and let them loose, being careful to avoid any lockout restrictions.

QOMPLX Detection

QOMPLX’s Identity Assurance (IA) product detects password spraying attacks as they happen. Unlike other products, QOMPLX IA monitors for failed login attempts at the host level. That allows the technology to spot suspicious activity, such as attempts to access multiple accounts from the same endpoint. At the same time, IA allows customers to configure thresholds for alerting to suit their environment.

QOMPLX helps its customers with problems like password spraying attacks. If you want to learn more about how QOMPLX can help your company spot signs that may signal a compromise, contact our team now.

Additional Reading

Here are the previous entries in our QOMPLX Knowledge series; look for more in our QOMPLX Knowledge series in the days and weeks ahead:

Q:CYBER Using Windowed Rules for Advanced Detection

QOMPLX Knowledge: Golden Ticket Attacks Explained

QOMPLX Knowledge: Silver Ticket Attacks Explained

QOMPLX Knowledge: Responding to Golden Ticket Attacks

QOMPLX Knowledge: DCSync Attacks Explained

QOMPLX Knowledge: DCShadow Attacks Explained

QOMPLX Knowledge: Pass-the-Ticket Attacks Explained

QOMPLX Knowledge: Kerberoasting Attacks Explained

Learn More

Use the following form to request more information about QOMPLX detection of sophisticated attacks and other threats.

You might also be interested in

Lessons from the Medibank breach

Lessons from the Medibank breach

Ming Fu, a member of the Americas Pre-Sales Engineering Team at QOMPLX, looks at the much publicized Medibank breach in Australia last year, and draws a few much needed lessons based on the published findings of this breach.

Read more
IcedID Malware Gaining Prominence by Adding Identity Attack Chains

IcedID Malware Gaining Prominence by Adding Identity Attack Chains

Brian Freedman, WW Director of Solution Architecture highlights how identity controls are necessary tools, along with EDR, to combat evolving malware threats that have been expanding to include identity compromise as a primary objective in their attack strategies.

Read more
QOMPLX Knowledge: OverPass The Hash Attacks

QOMPLX Knowledge: OverPass The Hash Attacks

OverPass The Hash (OPtH) is a form of credential theft- and reuse attack that is one of the most common methods of lateral movement within compromised IT environments.

Read more
Request a Demo

Interested in learning more?

Subscribe today to stay informed and get regular updates from QOMPLX.