How do they get your passwords?

Recently, a company reached out to us for help. Their servers were hacked. They lost control of their network, they were locked out, their backups were compromised, their endpoints were getting encrypted the moment they'd log on the network, including remote workers. It was bad. They had the some of the best tools to protect them, industry leader brands but that did not matter, as the attackers deactivated them before wreaking havoc. It all started with one admin getting their credentials compromised. Many hackers work alone, many cybercriminals work alone, but often, once they group, they become a very strong force and organizations have hard time defending against their attacks. It is always important to remember that the attackers must succeed in their attack once, in order to get in and from there they can cause damage,

In this case presented above, they have used an advanced brute force attack against the organization.

What is a Brute Force Attack?

Here is a short video explaining it.

 Cybercriminals often use brute force techniques to try to get access to accounts when passwords are unknown or when password hashes are obtained. Their strategy is to systematically guess the passwords used to compute hashes, if available, the alternative is to use a pre-computed rainbow table to crack hashes. Cracking hashes is usually done on the cybercriminals systems outside of the targeted network.

Here's how a person uses a specialized program to crack a password.

There have been cases where attackers can attempt to brute force logins without knowledge of passwords or hashes during an operation either with zero knowledge. Other times they are just attempting a list of known or possible passwords and this works too. Yet, this is a riskier option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies and thus set up a series of red flags, notifying the victim of the fact they are under attack.

Another common tactic is called password spraying, when the attacker uses one password for example, Jenny123, or a small list of passwords, that matches the complexity policy of the domain and may be a commonly used password. Logins are attempted with that password and many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords.

Here is password spraying at work. 

As more and more organizations are using single sign-on platforms and cloud-based applications using federate authentication protocols, these become juicy targets for attackers. Companies that use Office365 are also preferred targets for attackers when choosing to use Brute Force attacks.

Typically, management services over commonly used ports are used when password spraying. Commonly targeted services include the following: SSH (22/TCP), Telnet (23/TCP), FTP (21/TCP),NetBIOS / SMB / Samba (139/TCP & 445/TCP), LDAP (389/TCP), Kerberos (88/TCP), RDP / Terminal Services (3389/TCP), HTTP/HTTP Management Services (80/TCP & 443/TCP), MSSQL (1433/TCP), Oracle (1521/TCP), MySQL (3306/TCP), VNC (5900/TCP).

We have noticed an increase in cases where cybercrime groups are using brute force password hashes to be able to access the them in plain text credentials. Password spraying is as well widely used in the industry as many organizations just do a good job configuring properly their networks. Local admin accounts are the easy target these groups are going for. Initial access is gained by using brute force attacks against SSH services. 

Passwords must be complex and unique in order not be easily cracked. This is a great article about the math behind hacking passwords.

So what can we do? How can we prevent and not fall victims to brute force attacks? 

Organizations must go granular in setting up the right account use policies. For example, the admins can set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. They must be very careful as if they use a too strict a policy, this may backfire and create a denial of service condition thus rendering environments un-usable, with all accounts used in the brute force being locked-out.

 Multi-factor authentication is a must, in my opinion, in all organizations connected to the internet, and everyone in the organizations should be using multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services.

The last one is really a no-brainer, use long passwords, use passphrases, use special characters, use numbers, make it hard for someone with lost of firepower and a smart software to ruin your day. 

So why is it so easy for attackers to use this technique successfully? The reality is detecting when hashes are cracked it’s extremely difficult, since this is generally done outside the scope of the target network. For organization to realize they are attacked, the InfoSec team needs to monitor authentication logs for system and application login failures of Valid Accounts. If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials. They also have to monitor for many failed authentication attempts across various accounts that may result from password spraying attempts.

For the InfoSec teams, when fighting against password spraying it’s always good to look at the Domain Controllers: "Audit Logon" (Success & Failure) for event ID 4625, at “Audit Kerberos Authentication Service" (Success & Failure) for event ID 4771 and all systems: "Audit Logon" (Success & Failure) for event ID 4648. This will paint you a clear image of who’s after your organization and why.

BONUS TIPS for regular users:

1. Watch out for Shoulder Surfing - Use long passwords that are hard to memorize if seen being typed.
2. Watch out for Eavesdropping - Yes, this is still a thing to this day, but I am more referring to when someone is actually getting visibility on your WiFi traffic and can see what you do. Hide your password in a string. This way during transmission from client to server, the intruder unable to compromise the password even if he sni?ng the password by using tra?c analysis method, because the password is in hashed format with some dummy characters
3. Watch out for Guessing - Make it hard for anyone to guess it, don't use name of your dog and birth-date. Use special characters, numbers and a long passphrase.
4. Chose to use a multilingual keyboard - Why? Use of multilingual keyboard drastically reduces the brute force attack. The multilingual keyboard, having 260 characters. The time required to recover the password is exponentially longer when the target uses a multilingual keyboard.
5. Use a virtual keyboard - The main advantage of virtual keyboard is it provides a better resistance against keystroke logging. Using virtual keyboard, the key logger and other key stroke based attacks are avoided.
6. Be tricky - Even if you note down your password on a piece of paper or a notebook, make sure you always add some extra characters to it. This makes it harder for the attacker because the actual password is embed with some extra dummy characters. Even if the intruder get the paper he will be unable to login the system.