Brute Force Attacks: What They Are and How to Protect Your Organization

In June 2021, Microsoft revealed that some of their clients had been targeted in a cyberattack by hacking group NOBELIUM – the same group that was responsible for the SolarWinds attack in 2020. The group used password spraying and brute force attacks to conduct their malicious activities. Information-stealing malware was also detected on a Microsoft employee’s device, installed to gain access to some customers’ basic account information. Threat actors then used this point of access to “launch highly-targeted attacks as part of their broader campaign”. Microsoft immediately countered the attack by cutting off the access and securing the device.

The targets included IT companies, government and non-governmental organizations, think tanks, and financial services. Although 36 countries were targeted in total, most of the affected organizations were in the US. 

Following this incident, Microsoft has urged its customers to adopt stronger security practices. Here, we will discuss what brute force attacks are, the different kinds of attacks, and how to minimize the risk of such attacks successfully launched against your organization. 

What are brute force attacks?

A brute force attack is a trial-and-error hacking method where a threat actor attempts to gain unlawful access to a target’s account by trying out a large combination of passwords, decryption keys, or login credentials – depending on what is used to restrict access. Cybercriminals repetitively run through all variations of potential passwords or passphrases until the correct one is found.

This type of cyberattack isn’t new, however, it is still popular among cybercriminals. There are several motives behind using this method of attack:

·   Hijacking ads and activity data: Attackers can launch brute force attacks on websites for financial gain from advertising commissions. This can be done by installing spyware on websites that tracks user activity. This information is then sold to advertisers without the user’s knowledge. Attackers may also spam popular websites with ads or install adware on applications, which, when clicked or viewed, generates profit. Additionally, traffic can be redirected from legitimate websites to pharming websites or illegal ad sites.

·   Theft of personal data: Most personal data is stored in online databases – from bank account details to private health information. Once accessed, hackers can exploit this data for identity theft, sell it on the dark web, steal it, or use it to launch phishing or spear phishing attacks.

·   Organizational data breaches: Threat actors often use brute force attacks to breach organizational systems and networks to launch much larger cyberattacks like DDoS or ransomware attacks.

·   Reputational damage: Cybercriminals can target websites with brute force attacks and overrun them with highly indecent and offensive content. This can ruin a website’s image and force the organization that owns it to take it down.

Furthermore, threat actors can brute-force web addresses to gain access to webpages that are hidden from the public – these may be for technical purposes and have restricted access. Threat actors can use them as a platform for their malicious activities.

What are the different types of brute force attacks?

There are several kinds of brute force attacks. These are the five most commonly used ones:

1. In traditional or simple brute force attacks, hackers attempt to guess the passwords of a few targeted users. They systematically cycle through all possible password compilations until a match is found.
   
2. Dictionary attacks imitate simple brute force attacks. However, it differs in its password-cracking process. Here, hackers run the most commonly used dictionary words and phrases while altering words with specialized characters and spelling variations until access is granted.
   
3. In reverse brute force attacks, attackers run a list of known passwords – either obtained from a data breach or purchased from the dark web – against millions of usernames until a successful match is made.
   
4. Hybrid brute force attacks are a combination of simple and dictionary attacks. Hackers target a specific user and run popular dictionary words along with random characters to crack the password. To ease the process, hackers may use personal information of the target to discover potential terms that could be a part of the password.
   
5. Credential stuffing takes advantage of poor password etiquette. It is common for users to have the same login credentials across several accounts. Hackers exploit this by using these login details to brute-force their way into as many accounts of the target as possible.

Of course, none of this is done manually. Hackers employ botnets and other automation tools and software to help them crack login credentials. Aircrack-ng, John the Ripper, Hashcat, L0phtCrack, DaveGrohl, and Ncrack are examples of popular brute force automation tools.

Additionally, a brute force attack requires a lot of computational power, which is why cybercriminals have developed hardware solutions, like combining the CPU and GPU of a device. This accelerates the systems’ ability to complete several tasks simultaneously, increasing the frequency of successful brute force attacks.

How can your organization prevent brute force attacks?

There are several ways to protect your organization from brute force attacks. Here is the checklist:

1. Educate your employees on the dangers of brute force attacks and conduct regular training and testing on the latest security practices and efficient password usages to avoid any unwanted breach incidents.

2. Explain to your employees the importance of strong passwords. An ideal password should be long, consist of random characters, symbols and numerals, as well as a mixture of lower and uppercase letters. Make sure they know to avoid using common passwords or terms that relate to important events in their personal life – birthdays, names, etc.

3. Use password managers to automate the creation of strong, safe, and unique passwords for all of your organization’s accounts.  

4. Limit the number of login attempts. Make sure your system alerts your IT team of failed login attempts.

5. Invest in password protection measures. Apply strong password encryption, salt the hash, employ multi-factor authentication, and use CAPTCHA, which is essential in weeding out botnets. 

6. Remove unused accounts from your organization’s systems. 

7. Monitor your organization’s systems and networks for suspicious login activity – multiple failed login attempts from the same IP address, as well as attempts made from new devices or unusual locations. Block any suspicious devices and IP addresses.