Cyber actors using 'password spraying' against organisations' email systems

Iranian crooks used password spraying to bring down targets

Cyber crooks have been using a brute force attack method called "password spraying" to hack into American and foreign companies, according to the FBI.

The US Department of Homeland Security and FBI have issued a warning to companies that criminals are resorting to this sophisticated technique to gain unauthorised access to systems.

Last week, a judge in New York indicted nine Iranian nationals who members of a hacking group known as Mabna Institute for "computer intrusion" offences. Password spraying was one of their main techniques.

In normal brute-force attacks, crooks try to guess a password to get into a computer. But of course, most accounts only allow for a few bad attempts so they are usually blocked out within minutes.

However, password spraying is thought to be more effective. In a security posting, the US Computer Emergency Readiness Team (US-Cert) explained that the "malicious actor attempts a single password against many accounts before moving on to attempt a second password".

If the hacker is successful, then they can "remain undetected by avoiding rapid or frequent account lockouts". These campaigns are often used to compromise single sign-on (SSO) and cloud-based applications.

"An actor may target this specific protocol because federated authentication can help mask malicious traffic. Additionally, by targeting SSO applications, malicious actors hope to maximise access to intellectual property during a successful compromise," explained the security bulletin.

When hacking into companies using this method, hackers may also target email applications.

US-Cert said password spraying lets them "utilise inbox synchronisation to obtain unauthorised access to the organisation's email". Attackers then commonly download the user's mail and trawl through it to discover the company's entire email address list.

Most victims of these attacks use SSO or web-based applications, and have easy-to-guess passwords, have inbox synchronisation in place and allow any user to set up email forwarding.

Password spraying techniques can be hugely damaging to companies, resulting in "temporary or permanent loss of sensitive or proprietary information, disruption to regular operations, financial losses incurred to restore systems and files and potential harm" to their reputation, US-Cert says.

The organisation recommends that firms require multi-factor authetication, review password policies, implement review IT helpdesk password management systems and invest in cyber security tools.