People have been guessing passwords and vandalizing accounts for as long as they have existed. Of course, techniques have evolved from raiding junk drawers inside corporate offices to guessing them using common words and passphrases. Today, hackers set up systematic trial and error or brute force, until the password is cracked. Once they are in, the damage potential is catastrophic.
Since mid-March, as lockdowns were being imposed almost over the entire planet, the number of brute force attacks targeting enterprise IT security also rose sharply. Imposed stay-at-home orders forced enterprises to deploy more RDP (Remote Desktop Protocol) systems—thereby increasing the scope of attacks for hackers.
In fact, according to a report published by cybersecurity firm Kaspersky, the highest number of brute-force attacks was recorded in March 2020 in Italy with 978,808 cases, followed by China in April with 789,082 attempts.
Cyber-criminals are re-kindling interest in brute-force attacks
Brute force attacks are not surgical attempts, attackers normally operate by area. Due to the mass transition to remote working that happened due to the pandemic, cyber-criminals took a shot at enterprises, assuming that at least a handful of RDP servers would be poorly configured.
This led to the rise in the number of exploits on corporate resources that were made available to remote workers (without much security).
Attackers will use scripts or bots to try all possible combinations until they find the one that works. Modern criminals have it easy because today they have plenty of tools to launch brute force attempts, but there's a catch. These attacks may be easy to execute, but depending on the nature and length of passwords, it may take several weeks or months to be successful.
While brute force masterminds have the same goals – different methodologies are implemented. A section of attackers use words in the dictionary to find the password, known as dictionary attacks. They also use common passwords and phrases in their search like "password" or "123456". Reverse brute force occurs when the hacker has the password, but not the user name. It involves using common passwords against multiple possible usernames.
Credential stuffing isn't new to enterprises' misery. Attackers use breached username and password pairs to launch further attacks. For example, by gaining control over point A, it may be easier to hack points B, C, D, and so on.
A reason why these attacks are successful is because the risk of poorly secured RDP access is real. These attacks are well-established threats from opportunistic attackers who are much smarter and are seeking to find loopholes in enterprise IT security.
Enterprises are retaliating
Once a cyber-criminal logs in successfully, they can carry out a whole range of malicious activities. It is not an uncommon occurrence when employees get an email from a service provider telling that someone logged into their account from an unknown location.
Enterprise network operators often lookout for signs of brute force attacks. There could be multiple failed login attempts from the same IP address or multiple login attempts for a single username. These are usually hackers using a proxy. Security professionals also look out for an abnormal amount of bandwidth being used after a successful login attempt.
Essentially, it is difficult for the IT staff to keep track of all their employee and admin passwords. So, how could organizations be putting out an even stouter defense? If they use encryption rates as high as 256-bit to protect their passwords, it can greatly reduce the attacker's scope to log in successfully. Also, to eliminate the lateral intensity of an attack, they can lock user accounts after a fixed number of failed login attempts.
Frequent privileged password changes and the use of two-factor authentication or MFA are good security practices too.
When enterprises require more than one security layer to authenticate like a physical USB key or fingerprint biometrics scan, things get pretty overwhelming for hackers. This also applies to captcha after repeated login attempts.
Administrators should also randomize password hashes. They can add random strings of letters and numbers, store in a separate database, retrieve and add to passwords before they are hashed. It will throttle the rate of repeated logins.
In the end, brute force attacks aren't going anywhere and as hackers’ toolkits are evolving and expanding exponentially, enterprises are gearing up to get their technology wired up. They have been ensuring that users are protected—no matter when attackers choose to strike.