The Detection and Response Team (DART) at tech giant Microsoft, has warned of an increase on the number of password spraying attacks directed towards valuable cloud accounts.
For reference, password spraying refers to a type of attack where the culprits use brute force logins that are based on a series of usernames with default passwords, on an application. As such, a single password is used against a number of different accounts on the application, so as to avoid account lockouts that can be triggered when brute force is used on a single account by trying multiple passwords.
High Profile Accounts Targeted
Researchers at DART have warned of attacks against specific admin accounts, and have issued a list of users that need to be protected. These include the likes of security administrators, global administrators, Helpdesk administrators, user administrators, among others. The report states that there have been noted at “uptick” in cloud administrator accounts being targeted. Threat actors are reportedly also attempting to compromise identities with a high profile or access to sensitive data.
Suspicious activity can be checked through specific tools like the Microsoft Cloud App Security portal, and Microsoft has recommended the following alerts to check for:
- Activity from anonymous IP addresses
- Impossible travel
- Activity from infrequently country
- Activity from suspicious IP address
Attacks Becoming Increasingly Common
This comes months after the Cybersecurity and Infrastructure Security Agency (CISA) had revealed at the beginning of this year that threat actors responsible for the SolarWinds attack had made use of common hacking techniques like password spraying or password guessing, to break into the networks of targeted organizations.
Password spraying attacks are becoming increasingly commonplace on the hacking scenario since July 2021, with more and more threat actors using the same to target organizations. The NSA had previously revealed that Russia-backed hacking group Fancy Bear had launched password spraying attacks against foreign organizations including those in the US.
Steps Suggested by the DART
The company has also issued a number of steps to protect cloud accounts from being subjected to spray attacks. For starters, the team says that brute force prevention should be used on both the fields (Username and Passwords), and that account lockout policies should be put in place after specific number of incorrect password entries. Another recommendation is the enforcement of multi-factor authentication (MFA) across all accounts wherever and whenever possible, and shifting to password-less tech altogether.
