Cybersecurity might as well have its own language. There are so many acronyms, terms, sayings that cybersecurity professionals and threat actors both use that unless you are deeply knowledgeable, have experience in the security field or have a keen interest, one may not know. Understanding what these acronyms and terms mean is the first step to developing a thorough understanding of cybersecurity and in turn better protecting yourself, clients, and employees.
In this blog series, we aim to explain and simplify some of the most commonly used terms. Previously, we have covered bullet proof hosting, CVEs, and APIs. In this edition, let’s dive into brute force attacks.
A brute force attack is an attack that involves trying to identify all possible combinations (usually passwords) to find a match of the credential via trial and error until entry is gained. The goal is usually to gain access and then steal sensitive, proprietary or corporate information. While brute force attacks are not a new method used by hackers and cybercriminals, it is on the rise, as a once time-consuming method, advancements in specialized and automated tools have made these attacks more feasible against weak security systems.
According to recent reporting, brute force attacks increased by 74 percent between 2021 and 2022. Other recent reporting from Kaspersky maintains that the most common attack vector for all ransomware attacks continues to be via account takeover utilizing stolen or brute forced credentials. In addition, Verizon reports that over 80% of breaches caused by hacking involve brute force or the use of lost or stolen credentials.
There are several types of brute force attacks:
Last year, DarkOwl data scientists conducted a password analysis of all the passwords collected in DarkOwl Vision. 102,368,238 passwords were found that followed a yyyy-mm-dd format, and 13,223 with passwords with yyyy/mm/dd. While utilizing special characters like numbers is a good practice for password hygiene, the prevalence of users who incorporate a date into their password means that threat actors will leverage this to attempt to brute force accounts.
There are several password “cracking” tools readily available to hackers to conducting dictionary and brute force style password attacks. Some of the most popular tools include:
Even the most sophisticated password crackers will need significant processing power and time to successfully break long, complex passwords. Unless an 8-character password includes numbers and symbols, the password can be potentially brute forced. The table below shows the time to needed to crack passwords of varying degrees of character length and complexity.
Below are recent examples in the news of cyber groups reportedly using brute force attacks to hack accounts of individuals and organizations.
An organized crime group who operates throughout Ukraine had three members arrested by the Cyber Police of Ukraine. The suspects used brute-force to procure login credentials and then sell them on the darkweb for profit. Computers, phones, and bank cards were all seized from the residences of the people arrested.
Brute-forcing is not a sophisticated method of operation, but it is effective. Multi-factor authentication is a solid security step to take towards reducing the effectivity of brute-force operations. This incident also demonstrates how data from everyday activities such as login credentials from social media as well as banking, online bill pay, and more, can be weaponized. Actors take steps to steal this information and then gain financial profit from selling it, endangering personal accounts and digital hygiene for innocent people.
Government organizations worldwide were the target of a two-year, Chinese state-sponsored campaign. Spear-phishing is employed to deploy backdoors while exposed internet-facing servers are also attacked, leading to a multi-pronged attack. The group uses open-source tools to build VPN servers and then brute-forces email accounts to procure passwords, focusing on compromised Outlook accounts.
Citing TOR exit nodes as the origin, Cisco issued a warning about broad attacks targeting Cisco VPNs, web services, and Mikrotik routers. The brute-force attempts use tunnels and proxies for anonymization. Patching is one of the simplest ways to offer protection against this method.
Successful attacks could result in locking users out of their accounts as well as provide unauthorized network access, enabling the theft of credentials, network metadata, and more damaging, sensitive information that could be used in other malicious operations.
A new Advanced Persistent Threat (APT) group named LanceFly is utilizing a custom, stealthy backdoor called “Merdoor” to target organizations in South and Southeast Asia since 2018. Methods for initial access are unclear, but Symantec has observed the group using methods such as phishing emails, SSH credential brute forcing, and others. Merdoor is put into “’perfhost.exe’ or ‘svchost.exe” which are both real Windows processes through DLL side-loading. The stealthy backdoor is persistent and can remain on devices between reboots. The backdoor establishes connection with a C2 server, from which it can be given instructions.
Cyber criminals and hackers frequently discuss vulnerabilities, tools techniques and procedures (TTPs), and on the darknet and darknet adjacent platforms. Below we share screenshots from DarkOwl Vision UI that highlight the use of brute force attacks. Vision UI is the industry leading platform for analysts to simply, safely, and comprehensively search darknet data. Vision provides a user-friendly interface with powerful querying capabilities to search, monitor, and create alerts for critical information.
The first two screenshots below portray a Russian language user sharing a link to a GitHub repository containing brute force attack source code for android devices on the well know Russian language darknet forum, XSS. The second image portrays the same information in its original format directly on the XSS forum.
In the screenshot below, threat actors discuss in a Discord channel a new scanning and brute force framework available on GitHub, praising the tools exceptional speed.
DarkOwl analysts also found darknet market posting offering brute force attack software in exchange for $500 USD worth of bitcoin. This poster claims that they have made $12,000 USD in 2 months using this software.
In addition, as we know, threat actors utilize the darknet and darknet adjacent sites to exchange information, best practices and ask questions. This is one of the reasons why it is so important to monitor this activity – we are learn about upcoming trends, what they are discussing and prepare for the attacks being planned. In the example below, an actor is asking the community how long they can expect a brute force attack to take.
Believe it or not, 98% of cyberattacks can be prevented with basic hygiene. Below are several tips to prevent brute force attacks and more in-depth password strengthening tips.
Everyone can follow some simple steps to ensure you employ robust password hygiene and reduce the risk of a password getting brute forced or exploited in a credential stuffing campaign.
Products
Services
Use Cases