Password spray is an increasing security threat that is impacting enterprises dealing with passwords. In this advisory we’ll explain these campaigns, how OneLogin mitigates the risks, and offer additional best practices for all businesses interested in protecting themselves.
Password spray campaigns, also known as “brutespray,” are specific types of password brute force attacks. Password brute force attacks are commonly used by hackers trying to penetrate systems and gain unauthorized access to an account, by attempting different password combinations against accounts until they guess a successful combination. These attacks have limitations, such as causing account lockouts after a short number of attempts. Password spray campaigns, however, attempt a single password across many user accounts before moving on to attempt an additional password, in order to allow the attacker to stay under the radar. This attack is becoming common against single sign on (SSO) and federated authentication solutions where brute forcing multiple accounts in parallel is more likely to go undetected.
Not only have these types of attack been on the rise in recent months, but the United States Computer Emergency Readiness Team has also deemed it a risk worthy of an advisory and issued this statement: “Brute Force Attacks Conducted by Cyber Actors.”
Access Management and SSO solutions like OneLogin are critical for protecting an organization from many common attacks such as password brute-force attacks in these three ways:
- SSO solutions which use identity federation (e.g. with SAML) eliminate application passwords and reduce the attack surface for the organization, such that every authentication attempt must pass through a system specially designed to secure corporate sign-in with means such as strong password policies and multiple authentication factors.
- Additional security features such as user lifecycle management and automated offboarding are also critical in reducing the attack surface for the organization, by eliminating ghost or orphan accounts which may otherwise be used to gain access.
- Authentication events are unified and may be used for aggregate threat analysis and detection. In 2017 OneLogin acquired ThisData, a risk engine now being used internally at OneLogin for attaching a risk score to every security event. Customers can enable OneLogin’s Adaptive Authentication which uses the risk score for invoking a second factor in the case of a suspicious login. Customers can also leverage this risk score when streaming events to their own Security Information and Event Management (SIEM) or security analytics solution, to monitor and alert against suspicious activity.
Although the intention of more sophisticated attacks such as password spray campaigns is to stay under the radar by spreading the attack across multiple accounts, this works in favor of an advanced identity solution which aggregates and correlates security events for better account protection.
Specifically for addressing password spraying campaigns, OneLogin has implemented risk-mitigating precautions, such as automatically blacklisting IPs that have been verified to unsuccessfully attempt to sign into multiple OneLogin tenants, access OneLogin from traditionally risky locations and have extremely high login failure rates.
As a OneLogin customer, you can breathe easier knowing that our team is proactively working to keep your data secure. OneLogin is a security-first company, and our customer’s data and privacy are our number one priority.
We have some recommended best practices, which are largely based on our own in-house expertise as well as the aforementioned Homeland Security recommendations:
- Password settings. Apply a strong password policy that reduces the risk of attackers successfully guessing credentials. A strong password policy requires all users to use a password at least eight characters long and with special characters (e.g. lower case, upper case, numerals and non-alphanumeric characters). In addition, have passwords expire every 30 days such that users cannot reuse the last 10 passwords.
- MFA settings. Require all users to use at least one additional authentication factor when signing in. Requiring MFA will increase the difficulty of attackers exploiting weak credentials to gain access to your systems and apps.
- Event streaming. If you are using a (SIEM) or security analytics solution, use OneLogin’s security event streaming to add OneLogin sign-in events to your analytics to increase the likelihood of identifying potential attacks.
- Adaptive Authentication. OneLogin’s Adaptive Authentication triggers a second authentication factor in the case of a suspicious login attempt, making it more difficult for attackers to exploit weak credentials to gain access to your applications.
ADDITIONAL RECOMMENDATIONS FOR MICROSOFT CUSTOMERS
A core benefit of using OneLogin is the integration with Microsoft products, specifically unified directory management of Active Directory, Active Directory identity federation, and secure deployment of Office 365. OneLogin and Microsoft have many shared customers and share similar concerns about customers’ security. That’s why we have partnered with Microsoft to understand how the increase in password spray attacks they are experiencing may impact our shared customers. Specifically for Microsoft Exchange Online customers, Microsoft recommends implementing the following mitigations:
- Disable legacy protocols that are often targeted by password spray campaigns. Attackers target legacy protocols such as POP and IMAP for password spray attacks because it is more difficult for a service administrator to implement authentication protections like multi-factor authentication (possible, but still more complicated). Organizations often exempt legacy protocols from MFA, so it has become a safe avenue for attackers to pursue. This guidance will help an organization disable the Exchange Online protocols they will not need, thus reducing their target-able surface area. For more information check out this support article.
- Enable modern authentication. Customers can push all Exchange Online authentication to ‘modern’ standards. This means a much better multi-factor authentication experience and other security benefits. For more information check out this support article.
There are no additional actions for readers to take at this time. We will continue to investigate this threat and we will share additional information and best practices as they develop.
As a security-first company, we are committed to an ongoing effort to improve our security for our entire customer base. We’ll continue to improve the security of our infrastructure and our product with frequent updates. We’re committed to working with the industry to identify and investigate potential threats and respond to them immediately. We will also continue with our transparent and timely advisories and disclosures to alert and educate our customers and partners as needed.
We encourage our industry partners and customers to continue to support these goals and we hope that you appreciate the continued collaboration. If you have more questions, please contact OneLogin’s security team at firstname.lastname@example.org.