Breach Detection:
Cyberseer's Response to Targeted Password Spraying Attacks

Well-established cyber threats pose significant risks to businesses across all sectors. Our recent cybersecurity investigations have confirmed the persistent use of password spraying and the use of stolen credentials, again emphasising the need for continuous and robust defence strategies.

Incident Overview:

Our cybersecurity team detected a complex password spraying attack that cleverly utilised data from previously disclosed non-credential data breaches. This specific use of leaked information allowed attackers to choose a target deck in an optimised manner and only attempt to gain access to accounts that are almost certain to have elevated privileges. This strategy was first detected in our client’s network, with what initially appeared to be isolated incidents of credential theft but quickly spread to multiple accounts.

Through Open Source investigation, Cyberseer was able to attribute the activity across both clients to two specific breaches of compromised personal data and work with the client to investigate the use of those services within their organisations. This allowed the clients to gain insight into the potential threat and secure any executive accounts identified as high risk.

After the initial mitigatory work of ensuring that any high-risk accounts were secured, Cyberseer worked with the at-risk clients to deploy various measures to enhance the security of the login process. This meant revising access controls, enhancing monitoring protocols, and educating users on the importance of cybersecurity procedures. The swift action taken by our SOC team demonstrates how we’re committed to protecting our clients against all evolving cyber threats.

Understanding the Threat:

Password spraying represents a brute-force attack where common passwords are attempted across various accounts to bypass account lockout systems. This attack was not solely reliant on brute force but was notable for its strategic use of detailed personal information to refine target selection, increasing its potential impact.

According to Verizon’s 2021 Data Breach Investigations report, tactics involving password use featured in 61% of hacking-related breaches, underscoring the prevalence and effectiveness of such strategies.

Indicators of Compromise

The attacks originated from a network known for previous malicious activities. This campaign marked the first where such a sophisticated combination of targeting and execution was observed, using previously breached data to maximise efficiency and impact.

Impact and investigation

The targeted accounts were primarily those with high-level access within their organisations. Our analysis indicated that the breach sources were publicly accessible databases with inadequate security measures.

Blog 4 AS35048 Biterika Group LLC

During our investigation, we discovered a pattern of unusual login attempts that we traced back to a Biterika autonomous system number (ASN). The evidence in the screenshot (above) highlights the failed login attempts. The timing and frequency of these attempts were additional indicators that helped our team confirm the nature of this attack.

 Mitigation and Prevention

 Following the detection of this threat, several measures were swiftly implemented:

  • Enhanced Network Monitoring: Updated rules were applied to our network monitoring systems to detect and flag any suspicious activities from networks associated with malicious actors.

  • Geographic Blocking: Access restrictions were set up to block login attempts from high-risk locations, reducing the likelihood of unauthorised access.

  • Network Restrictions: Direct blocks on all network traffic to and from networks known for abusive activities were enforced to bolster security.

Strengthening Your Cybersecurity Posture:

Businesses can adopt the following strategies to protect against such advanced threats:

  1. Regular Password Management: It’s essential to enforce policies that require frequent password changes, especially for accounts with critical access. Eliminating non-expiring passwords is also crucial to minimising ongoing vulnerability.

  2. Advanced Monitoring Solutions: It’s critical to utilise systems that provide comprehensive visibility and real-time alerts for any unusual activities. These systems ensure prompt detection and response, which is vital in a landscape where, according to IBM, the average data breach costs in excess of $4 million, highlighting the financial and operational importance of proactive security measures.

  3. Robust Authentication Measures: Implementing advanced authentication mechanisms that require physical verification, such as hardware tokens or biometric data, significantly enhances security against credential compromise. Microsoft asserts that multi-factor authentication can block over 99.9% of account compromise attempts, demonstrating the effectiveness of this security measure.

  4. Continuous Education and Training: Regular training sessions for all employees on the latest security threats and prevention techniques are crucial for maintaining a proactive defence posture.

The dynamic nature of cyber threats demands that our defences are equally agile and robust. Adopting a layered security approach that includes both technological solutions and informed human vigilance is the best way to protect your business assets and data. Our team remains dedicated to tracking emerging threats and refining our strategies to help you stay one step ahead of cyber criminals.

By proactively enhancing your cybersecurity measures and staying informed about new threats, your business can not only defend against attacks but also foster a culture of security that protects your most valuable information.

Contact us today to learn more about our Managed Security Services and discover how we can help keep your data, systems and reputation safe.

Read On

Resources-Download-2024-SOC-Threat-Findings-Report

NEW: Uncover the Latest Cyber Threats!

Stay ahead in cybersecurity with insights from the 2024 Cyberseer SOC Threat Findings Report

Resources-View-SOC-Services-for-Darktrace

Interested in SOC Services for Darktrace?

Enhance your cybersecurity posture and embrace the future of threat detections with Cyberseer's SOC services for Darktrace.

Contact-us

Contact Us

Have questions, need assistance, or ready to enhance your cybersecurity strategy? Our team at Cyberseer is here to help. Reach out to us for personalised guidance and expert advice.

Sign up to receive Cyberseer blogs directly to your inbox: