According to the Microsoft Detection and Response Team (DART), an uptick in password spray assaults targeting privileged cloud accounts and high-profile identities such as C-level executives has been seen.
Password spraying is a sort of brute force attack in which attackers attempt to obtain access to a large number of accounts by utilising a limited number of regularly used passwords. These assaults frequently utilise the same password while moving from one account to another in order to identify easy-to-breach accounts and avoid activating defences such as password lockout and malicious IP blocking (when using a botnet).
This strategy reduces the likelihood of account lockout, which occurs when they are targeted in typical brute-forcing assaults that swiftly try to log into a limited number of accounts by running through a large password list, one account at a time.
“Over the last year, the Microsoft Detection and Response Team (DART), in collaboration with Microsoft’s threat intelligence teams, have witnessed an increase in the usage of password sprays as an attack vector,” DART stated.
DART suggests activating and enforcing multi-factor authentication (MFA) across all accounts wherever practicable, as well as using passwordless technologies, to significantly reduce the chance of account compromise when targeted by such assaults.
According to Alex Weinert, Director of Identity Security at Microsoft, password spray assaults are among the most common authentication attacks, accounting for more than a third of business account breaches, as disclosed by Microsoft a year ago. Recent password spray assaults have targeted a diverse set of administrator accounts with varying levels of access, according to DART.
Accounts ranging from security, Exchange service, global, and Conditional Access administrators to SharePoint, helpdesk, billing, user, authentication, and corporate administrators are among the most prominent targets. Aside from privileged accounts, threat actors have sought to compromise high-profile identities (including C-level executives) or access to sensitive data.
“It is simple to establish exceptions to policy for executives, but in practise, they are the most targeted accounts. Make sure to install protection in a democratic manner to prevent introducing configuration flaws “DART was introduced.
The NSA disclosed in July that the Russian state-backed Fancy Bear hacking gang used Kubernetes clusters to perform password spray assaults against US and international entities, including the US government and Department of Defense.
Microsoft also reported earlier this month that it has discovered both the Iran-linked DEV-0343 and the Russian-sponsored Nobelium organisations utilising password spraying in assaults against defence tech businesses and managed service providers (MSPs) or cloud service providers.