password spraying

What is password spraying?

Password spraying is a cyberattack tactic that involves a hacker using a single password to try and break into multiple target accounts. It's a type of brute-force attack.

Password spraying is an effective tactic because it's relatively simple to carry out, and users often have easy-to-guess passwords. They may use ordinary dictionary words or the default password that came with their account or device.

In 2022, the Cybersecurity and Infrastructure Security Agency published an alert that listed password spraying as a common tactic of state-sponsored cyberattackers.

How does a password-spraying attack work?

To carry out a password-spraying attack, a malicious actor needs a list of target usernames and at least one -- but usually more -- common passwords to "spray" the accounts with.

The cyberattacker may buy a list of usernames, obtain compromised usernames from previous breaches or data leaks, or create a list using common default username formats. For example, the attacker could take a list of employees from a company directory or LinkedIn page and infer usernames from that. For example, a likely username for John Smith, employee of TechCompany, is [email protected]. The attacker may also target specific employees and find their usernames.

To obtain a password list, the hacker could publish reports and studies that list common passwords or focus on compiling their own using relevant information to the target organization or accounts -- for example, the location or name of the organization. The attacker may also deduce common passwords by using a dictionary attack -- compiling a list of passwords that consist of common dictionary words.

Once the cyberattacker has their username and password lists, they apply one password to every username before repeating the process with the next password. Trying one password at a time helps the attacker avoid the account lockout policies that come with too many login attempts. The hacker often uses automation to quickly iterate through the username/password combinations to find a match.

Who uses password-spraying attacks?

Password-spraying attacks can be used by hackers of varying skill levels because they are relatively simple to perform. The investigating organization has to determine what -- if any -- other mechanisms were used as part of the broader attack. For example, the password-spraying attack might be one component of a larger effort to infect a company's network with ransomware or cause a slow, discreet data leak.

Despite the password-spraying attack's accessibility across hacker skill levels, nation-state-backed cybercrime groups have shown a consistent tendency to use the technique. A couple of examples are the Russian state-backed group Midnight Blizzard, also known as Nobelium, and the Iranian-backed Peach Sandstorm, also known as Holmium and APT33.

Who do password-spraying attacks target?

Password-spraying attacks vary in specificity, depending on the motive of the attacker. They generally target a collection of accounts because the technique requires many accounts to work. However, the end goal of a password-spraying attack may be to breach a specific privileged employee's account, such as the chief executive officer, cybersecurity leadership or financial leadership. They may also compromise health records if the attack is carried out against a hospital. The target depends on the type of privileged data the hacker is after.

Commonly targeted ports and management services include the following:

• Secure Shell (22/TCP).
• Telnet (23/TCP).
• File Transfer Protocol (21/TCP).
• Lightweight Directory Access Protocol (389/TCP).
• HTTP/HTTP Management Services (80/TCP and 443/TCP).
• Oracle (1521/TCP).
• MySQL (3306/TCP).

The above information was sourced from an entry on password spraying from the Mitre ATT&CK framework. Cloud-based applications with federated authentication protocols and single sign-on applications are also common targets of password spraying.

Effects of password-spraying attacks

Password-spraying attacks have the potential to cause significant financial damage to an organization. Not all password-spraying attacks are specifically used to inflict financial damage. They can also be used to steal financial data and make fraudulent purchases. They may also steal other sensitive data, such as information about how proprietary software is built, and sell it to competitors.

These attacks can also slow a business's daily operations, as it must dedicate resources to stopping the attack and expel the attacker from the network. They can also cause reputational damage if the business does not properly or completely disclose the attack to its customers and other interested parties. This can influence the public's trust in an organization and the organization's stock prices.

Password-spraying attacks may also be the gateway into a proprietary network that makes the target vulnerable to other, potentially more damaging cyberattacks. For example, an attacker could use the information gleaned from password spraying to conduct a phishing campaign by posing as the victim in emails or over text.

Examples of password-spraying attacks

Microsoft disclosed in early 2024 that accounts from Microsoft's legal, executive and cybersecurity teams had all been breached. Microsoft attributed the attack to the same group that performed the SolarWinds attack of 2020. The hacking group -- designated Midnight Blizzard, formerly Nobelium -- is a state-backed Russian hacking group. The group also goes by the name Cozy Bear.

Microsoft disclosed that hackers were able to compromise a legacy test account with password spraying. From there, the hackers were able to use the test account's permissions to gain access to Microsoft's senior leadership accounts. Microsoft also disclosed separately that the same hacking group had used password spraying multiple times in the past to steal credentials through Microsoft Teams chats.

Another example came from the Iranian state-backed threat actor Peach Sandstorm. Between February and July 2023, Peach Sandstorm launched a barrage of cyberespionage attacks against a large collection of global targets to establish persistence in target environments and collect intelligence. Password spraying was a central technique in the attacks, which primarily focused on defense, satellite and pharmaceutical organizations. The attacks were regularly launched between 9 a.m. and 5 p.m. Iran Standard Time from a Tor IP address, according to a Microsoft report.

How to detect password-spraying attacks

One telltale sign of a password-spraying attempt is consistent failed login attempts on multiple user accounts. Authentication logs show an organization's security team a record of login failures for company accounts. A high frequency of login activity over a short period of time may also be indicative of a password-spraying attack. Logins from nonexistent, inactive or legacy accounts also indicate a potential password-spraying effort.

How to defend against password-spraying attacks

The following are some ways to prevent and defend against password-spraying attacks:

• Instill a strong password policy. A good password policy includes using a longer string of characters, avoiding basic dictionary words and forcing users to change their default password on first login to the account.
• Implement login detection. Login detection records information about user login activity. Organizations should be looking at log information to see the usernames being logged in to. If an organization sees its users attempting to log in to systems on the network that they never have connected to, it could be an indication of a password-spraying attack.
• Set a lockout policy. Set a threshold for the lockout policy at the domain level. The threshold should be low enough to prevent multiple illegitimate authentication attempts but high enough to give legitimate users some margin for simple login errors. The lockout policy should come with simple processes for reinstating access to accounts for legitimate users as well.
• Implement a CAPTCHA. A CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) can help prevent password spraying where a strong lockout policy isn't possible.
• Use two-factor authentication. Making sure that two-factor authentication is enabled on accounts prevents these types of attacks and makes it more difficult for hackers to make use of stolen credentials -- even if they are legitimate.
• Use a unique username format. Easily guessable username formats can help a hacker compile their list of targets with little to no information about them. Using a nonstandard format gives the hacker less power to intuit the credentials of a target user.

Password-spraying vs. brute-force attacks

Password spraying is a specific type of brute-force attack. Both attack types use a trial-and-error approach to break into a victim's account. The difference is password spraying uses a single password to attack several accounts. Traditional brute-force attacks try many different passwords to break into a single account. Brute-force attacks can cause account lockouts after a certain number of failed login attempts. Password-spraying attacks are more likely to bypass this flaw because they only use one password at a time.