Credential cracking, or password spraying, is one of the most effective ways for cybercriminals to get access to user accounts. It refers to the brute-force automated cracking, or pairing of usernames and passwords by using sophisticated high-speed bots.
According to a National Cyber Awareness report from May 2020, cybersecurity agencies have been investigating large-scale password spraying attacks on healthcare-related organizations in several countries including the US and the UK. Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) are seeing continued malicious cyber activity actively targeting organizations involved in COVID-19 responses. The pandemic seems to have piqued the interest of APT groups as it presents them with a unique opportunity to steal sensitive research data or valuable intelligence about healthcare policy whether for their own commercial or state benefit.
While other industries such as financial services, government and education, have been targets of APT groups in the past, since the pandemic began there has been a marked increase in the number of password spraying attacks on the medical sector with international pharmaceutical and clinical research laboratories thought to be more vulnerable to an attack due to their global reach and complex supply chains. Targets include healthcare bodies, pharmaceutical companies, academia, medical research organizations, and local governments.
Described by OWASP as ‘Brute force, dictionary (word list) and guessing attacks’, credential cracking or password spraying attacks are often successful as for any given large user group there will always be a percentage of those using common or easily-guessable passwords. A hacker with access to a large database of usernames can simply use credential cracking software to guess the matching password, and credential cracking bots, capable of making billions of guesses per second, are intelligent enough to detect the most commonly used passwords. When the logins and passwords are successfully matched account takeover can occur.
Over 1.2 million Microsoft accounts were compromised in January 2020 and 40% of those were the result of password spraying – Microsoft – RSA 2020
This type of attack should not be confused with credential stuffing which is the mass login attempts used to verify the validity of stolen username/password pairs.
In an effort to protect corporate accounts and networks from account takeover, the NCSC has provided examples of frequently found passwords, which attackers are known to use in password spray attacks whereas CISA offers a guide on ‘Choosing and Protecting passwords’. Attackers will use the most probable passwords and they know that users will often use simple and easy-to-remember passwords based on the month of the year, seasons, and the year.
Multi Factor Authentication (MFA) goes a long way in defending against password spraying attacks but even more effective would be to eliminate the need for passwords altogether with the use of biometrics or fingerprint, voice, or facial recognition.
This type of persistent automated attack is carried out by Advanced Persistent Bots (APBs) which have more sophisticated capabilities than the average bots. And while organizations continue to rely heavily on passwords to protect networks and enterprise databases, being able to identify and block bad bots without impacting genuine traffic is critical.
Find out how Imperva Advanced Bot Protection defends websites, mobile apps, and APIs from automated threats without affecting the flow of business-critical traffic.
Join us on July 22 for our webinar Cybersecurity in healthcare and the impact on compliance.