Tensions between the U.S. and Iran have come to a head with password spraying attacks following the assassination of Iranian general Qasem Soleimani and the retaliatory missile strike. On Thursday morning, Dragos, an industrial control system security firm, detailed that it had tracked an attributed hacking activity to a group of state-sponsored hackers it calls Magnallium. Also known as APTs 33 and 34, this comes as no surprise as the U.S. government has repeatedly warned the private sector about Iranian cybersecurity threats. Dragos reported a broad campaign of password spraying attacks targeting U.S. electric utilities, as well as oil and gas firms. It also appears that another group Dragos calls Parisite has worked with Magnallium to exploit vulnerabilities in virtual private networking (VPN) software.
Back in March of 2019, enterprise VPN provider Citrix suffered a password spraying attack by an Iranian hacking group, exploiting 6TB of data. In recent weeks, criminals have returned to exploit Citrix’s vulnerabilities. This time they targeted a critical vulnerability affecting Citrix Application Delivery Controller and Citrix Gateway, which could lead to remote code execution.
Understanding Password Spraying
Password spraying is a type credential stuffing attack where a cybercriminal attempts to access a large number of accounts by looping a few commonly used passwords or by using known credential pairs that have been leaked through breaches or other types of attacks. Where traditional brute force attacks target a single account by guessing passwords, which sometimes leads to account lockouts after several failed attempts, password spraying takes a “low-and-slow” method to avoid detection. Bots are programmed to try username/password combinations on many different server logins until working combinations are discovered.
Who is at Risk?
The threat of blackouts across the U.S. is a terrifying thought, but there is no evidence to support that Iran has the tools and techniques to disrupt physical equipment like circuit breakers. However, the recent attacks draw attention to what adversaries are capable of. Password spraying, credential stuffing, and brute force attacks aren’t just used by nation-states, but are some of the most common attack methods against websites and applications. BotRx visualizes these attacks on a large scale and on a consistent basis across all businesses, regardless of size or vertical.
How BotRx Stops Password Spraying Attacks
Stopping password spraying attacks is a form of fraud prevention by stopping attackers from gaining access to an account. It is usually just the first step in nefarious acts, including identity theft, financial abuse, and in this case, infrastructure control.
BotRx ProTx is constantly running checks to decipher between human, good bot, and bad bot traffic. When a bot begins testing login credentials, that traffic runs through multiple detection methods including WAF, device/tool fingerprinting, behavioral modeling, and bot stateful tracking. ProTx bot mitigation uses a Moving Target Defense approach with the patented Dynamic Transformation technique. This technique traps and confuses the bot with random sequences that do not allow the automation to progress–essentially cutting off access to the target web page or login after just a few transactions.
To protect networks and data, companies must understand these methods, implement sophisticated technologies that evolve with threats, and continually test the efficacy of their security controls to ensure they are adequately defended.
To learn more about password security, read our blog How the Numbers “123456” Are Hurting Your Cybersecurity