[BreachExchange] Brute-force attacks explained, and why they are on the rise

Destry Winant destry at riskbasedsecurity.com
Thu Jun 25 10:35:34 EDT 2020


Brute-force attack definition

A brute-force attack sees an attacker repeatedly and systematically
submitting different usernames and passwords in an attempt to eventually
guess credentials correctly. This simple but resources-intensive,
trial-and-error approach is usually done using automated tools, scripts or
bots cycling through every possible combination until access is granted.

“This is an old attack method, but it is still effective and popular with
hackers,” says David Emm, principal security researcher at Kaspersky.
“Brute-force attacks are often used to target devices on remote networks to
obtain personal information such as passwords, passphrases, usernames and
personal identification numbers (PINs).”

However, the longer the password and the stronger the encryption on the
saved credentials, the amount of time and computing power needed, so it is
possible for organizations to decrease the efficiency of the attack to the
point is almost impossible for attackers to execute successfully.

In 2017 both the UK and Scottish Parliaments fell victim to brute-force
attacks, while a similar but unsuccessful attack occurred on the Northern
Irish Parliament a year later. Airline Cathay Pacific suffer a brute force
attack a year later for which it was fined £500,000 [~$630,000] by the UK’s
data regulator due to lacking sufficient preventive measures. Ad blocking
service Ad Guard also forced a reset of all user passwords after suffering
a brute-force attack.

How brute-force attacks work

Brute-force attacks are often carried out by scripts or bots that target a
website or application’s login page. They cycle through every possible key
or password. Common applications include cracking passwords on websites or
applications, encryption or API keys, and SSH logins.

A password cracking attack is only one step in an attacker’s kill chain,
according to Emm. It can be used to gain access to user, email, banking or
SaaS accounts or to compromise APIs or any other service that requires a
login and credentials.

>From there the attacker can perform their intended goal. “A successful
brute-force attack gives cybercriminals remote access to the target
computer in the network,” explains Emm. “The primary goal for these
attackers is to obtain personal information which can then be used to
access online accounts and network resources. From there, these can either
be used to send phishing links, spread fake content, or even harvest
credentials to sell on to third parties.”

“The process of guessing a password for a specific site can be a laborious
and time-consuming task, so hackers have since developed tools to help do
the job faster,” says Emm. “Automated tools are also available to help with
brute-force attacks, with names like Brutus, Medusa, THC Hydra, Ncrack,
John the Ripper, Aircrack-ng and Rainbow.”

Safe video communication

Between working remotely and working securely, there’s Webex.

“Many can find a single dictionary word password within one second. Tools
like these work against many computer protocols (like FTP, MySQL, SMPT, and
Telnet) and allow hackers to crack wireless modems, identify weak
passwords, decrypt passwords in encrypted storage and translate words into
leetspeak; ‘don'thackme’ becomes ‘d0n7H4cKm3,’ for example.”

A brute-force attack’s success is measured in the time it takes to
successfully crack a password. As a password’s length increases, the time
required to crack it increases exponentially. According to Cloudflare, a
seven-character password would, at a rate of 15 million key attempts per
second, take 9 minutes to crack. A 13-character password would take over
350,000 years.

Likewise, the longer an encryption key, the more time and resources
required to overcome it through brute force. A 128-bit encryption key has
2128 possible combinations, while with 256-bit encryption, an attacker
would have to try 2256 combinations. With current technology that would
take trillions of years to guess them all.

“Depending on the length and complexity of the password, cracking it can
take anywhere from a few seconds to many years,” says Emm. “In fact, IBM
reports that some hackers target the same systems every day for months and
sometimes even years.”

SponsoredPost Sponsored by Qlik

Successful Digital Transformation Requires Data Transformation

The digitization of most business activities – combined with cutting-edge
IT technologies – promise many benefits. But first, you need a solid data

Even if attackers use graphics processing units (GPUs), which can
significantly speed the number of combinations attempted per second,
increasing the complexity of the passwords and using strong encryption can
make the time needed to crack a password beyond anything feasible.

Types of brute-force attacks

Traditional brute-force attacks: An attacker tries every combination

Reverse brute-force attacks: A small number of common passwords are
repeatedly tried against many accounts.

Credential stuffing: An attack attempts to use stolen usernames and
passwords from sites or services to hijack accounts on other services and

Dictionary attacks: An attack cycles through words from a dictionary or
common passwords from other data breaches.

Rainbow table attacks: Using a pre-computed dictionary of plaintext
passwords and their corresponding hash values, attackers determine
passwords by reversing the hashing function.

Remote work increases brute-force attacks

According to Verizon’s Data Breach Investigations Report 2020, less than
20% of breaches within SMBs involve brute force, and less than 10% for
large organizations. This trend had remained largely unchanged from 2019
and 2018 iterations of the report, but the coronavirus pandemic may have
changed the landscape.

“As a result of the COVID-19 pandemic, businesses worldwide have adopted
remote working policies, which has had a direct impact on the cyberthreat
landscape,” says Kaspersky's Emm. “Following the mass transition to home
working, cybercriminals have logically concluded that the number of poorly
configured RDP [remote desktop protocol] servers would increase, hence the
increase in attacks.”

“Since the beginning of March, the number of Bruteforce.Generic.RDP attacks
has rocketed across the globe and attacks on remote-access infrastructure
are unlikely to stop any time soon — given how many corporate resources
have now been made available to remote workers.”

How to secure against brute-force attacks

While no one technique is foolproof against a brute force attack,
organizations can take many measures that require more time and computing
resources for the attack, making your business a less appealing target:

   - Use long and complex passwords that are encrypted (ideally with
   256-bit encryption).
   - Salt the password hashes. Emm advises that strings should be stored in
   a separate database and retrieved and added to the password before it is
   hashed so that employees with the same password have different hashes.
   - Have good password policy messaging to employees around password
   complexity and password reuse across multiple accounts.
   - Limit log-in attempts during a certain timeframe or require a reset
   after a certain number of incorrect attempts.
   - Rate-limit the time it takes to authenticate a password.
   - Enable captchas.
   - Enable multi-factor authentication where possible.
   - Consider using a password manager
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20200625/5596e669/attachment.html>

More information about the BreachExchange mailing list