Australian organizations are facing a higher than usual level of “password spray” attacks aimed at compromising corporate email and network accounts, the Australian Cyber Security Centre (ACSC) has warned.
The warning comes amid news that ACSC is briefing Australian universities this week about shoring up defences against cyber attacks.
The ACSC, a unit of spy agency Australian Signals Directorate, issued a warning this week that it was aware of a “high volume of ongoing password spray attacks targeting Australian organisations.”
The warning is buried in ACSC’s “publications” section of the website, but was picked up and promoted by the US Department of Homeland Security’s cybersecurity body, Cybersecurity and Infrastructure Security Agency (CISA).
CISA last March warned US organizations to beware of password spraying attacks upon information received by FBI investigators after Iranian hackers linked to Iran’s Mabna Institute were indicted for computer intrusion offenses, which affected hundreds of institutions including as many as 26 Australian universities, the Sydney Morning Herald (SMH) reported at the time.
Password spraying is a twist on brute force or password guessing attacks that attempt to bypass mitigations like rate limiting, which limits the number of guesses an attacker can use within a set timeframe.
Instead of hitting one account with a large number of popular passwords, attackers use a small set of the most common — and often the worst, like "123456" — passwords against just a few accounts, thereby flying under the radar of rate-limiting mitigations used in networked Windows PCs and online services.
ACSC says the password spraying attacks “target users on standard corporate external services such as webmail, remote desktop access, Active Directory Federated Services (ADFS) or cloud based services such as Office 365”.
“Depending on the credentials and service, successful authentication can potentially lead to the actor gaining access to corporate emails, the corporate directory, global address books, remote desktop services or administrative access,” it warns.
Earlier this week SMH reported the ASD would brief vice-chancellors of Australia’s universities about hackers targeting research data.
The briefing follows a serious breach the Australian National University (ANU) disclosed earlier this year that exposed sensitive personal information of students and academics. ANU is a Microsoft Office 365 customer. The university was reportedly the target of Chinese-based hackers in an attack disclosed in 2018.
The The Australian Catholic University also reported a breach in June after phishing attackers captured staff login credentials and from there gained access to email accounts, calendars and bank account details of some staff.
Microsoft now opposes periodical password changes because it encourages users to choose bad passwords. However, it contends that password spray attacks are detectable, noting recently that most attackers try about 10 passwords during an attack, though some try as low as two while some try 50.
The low-rate guesses it saw fell into two groups, respectively attempting 4,000 accounts per hour and 10,000 accounts per hour, using notoriously bad passwords like “123456”, “password”, and “abc123”, or if the attacker knows it’s a Microsoft-using organisation, they could try “Office2019” or “Azure19” .
ACSC’s UK equivalent, NCSC, recently ran a study with organizations there and found three-quarters of organizations had accounts with passwords from the most common 1,000 passwords, suggesting attackers had plenty of targets to choose from when using this style of "low-and-slow" password-guessing attack.