Brute force attacks develop strongly with the health crisis period. Focus on this type of attack and how to prevent it.
During a brute force attack, the attacker systematically and repeatedly submits different user names and passwords in an attempt to break into a platform. This simple approach, but demanding in terms of resources and attempts, is generally carried out using automated tools, scripts or robots which review all the possible combinations until access is granted. “It’s an old method of attack, but it remains effective and popular with hackers to target devices on remote networks,” said David Emm, senior security researcher at Kaspersky.
However, the longer the password and the stronger the encryption of the recorded data, the more time and computing power will be required. It is therefore possible for organizations to make this kind of attack almost impossible to carry out. In 2017, the British and Scottish parliaments were both victims of brute force attacks, while a similar, but unsuccessful, attack took place in the Parliament of Northern Ireland a year later. In the same year, the airline Cathay Pacific was the victim of such piracy and was fined 500,000 pounds sterling (553,250 €) by the British data protection authority for lack of preventive measures sufficient. The Ad Guard ad blocker was also forced to reset all of its users’ passwords after being subjected to this type of violation.
How brute force attacks work
Brute force attacks are often carried out by scripts or robots that target the login page of a site or application. They review known keys or passwords and possible strings. The most common applications must protect against this kind of attack and include encryption, API keys, or follow the SSH protocol.
Cracking a password is just one step in a hacker’s destruction chain, according to David Emm. It can be used to access user profiles, mailboxes, bank accounts, or to compromise APIs or any other service that requires login and credentials. “From there, they can be used to send phishing links, distribute bogus content, or even collect credentials to sell to third parties,” said Emm.
350,000 years to find 13 characters
Since overwhelming a query site to find a way to access a single account is time consuming, hackers have developed workarounds. “Automated tools are available to facilitate brute force attacks, with names like Brutus, Medusa, THC Hydra, Ncrack, John the Ripper, Aircrack-ng and Rainbow. Many can find a single word in the dictionary in a second. Tools like these work against many computer protocols (FTP, MySQL, SMPT and Telnet) and allow hackers to force WiFi routers, identify weak passwords, reveal passwords in a storage system encrypted and translate the words into leetspeak: “don’thackme” becomes “d0n7H4cKm3”, for example “.
The success of a brute force attack is measured by the time it takes to successfully crack a password. According to Cloudflare, a seven-character password would take 9 minutes to crack at the rate of 15 million typing attempts per second. A 13 character password would take over 350,000 years. Likewise, for an encryption key. At 128 bits, 2128 combinations are possible, while with 256 bit encryption, an attacker should try 2256 combinations. With today’s technology, it would take thousands of billions of years to guess them all.
“According to IBM, some hackers target the same systems every day for months and sometimes even years,” said the Kaspersky representative. Even if attackers use GPUs to dramatically speed up the number of combinations attempted per second, the increased complexity of passwords and the use of strong encryption can make the task of forcing these credentials unworkable.
Types of brute force attacks
Traditional brute force attacks: an attacker tries all possible character combinations until finding the correct one.
Reverse brute force attacks: the most common passwords are tried for different accounts, on different sites.
The credential stuffing: the attack involves attempting to use usernames and passwords stolen from sites or services to divert these accounts to other services and applications.
Dictionary attacks: bots browse a dictionary or lists of common passwords from other data breaches.
Rainbow-table attacks: it’s about finding a password by hash. From a list of all possible passwords, we will calculate each fingerprint and compare it to the fingerprint we want to crack. If the two fingerprints are identical, the password has been found.
Remote working increases brute force attacks
According to Verizon’s Data Breach Investigations Report 2020, less than 20% of breaches in SMEs involve brute force, and less than 10% for large organizations. This trend has remained largely unchanged from the 2019 and 2018 iterations of the report, but the coronavirus pandemic may have changed that. “Companies around the world have adopted policies for working remotely, which has had a direct impact on cyber threats,” says David Emm. “It didn’t take long for cybercriminals to realize that the number of RDP servers [remote desktop protocol] misconfigured would increase, hence the proliferation of attacks. “
Without giving precise figures, the Kaspersky researcher indicates that “since the beginning of March, the number of Bruteforce.Generic.RDP attacks has skyrocketed worldwide and it is unlikely that attacks on infrastructure remote access stops soon, given the number of corporate resources that have now been made available to teleworkers. ”
Guard against this type of hacking
While no technique is foolproof against a brute force attack, organizations can take steps that will take more time and IT resources to complete the attack. Some good practices include:
– The use of long and complex passwords (ideally with 256-bit encryption);
– Spice up password fingerprints. Mr. Emm recommends storing these strings in a separate database, retrieving them and adding them to the password before hashing it, so that employees with the same password have different fingerprints;
– Have a good password policy by communicating best practices to employees;
– Block connection attempts or require a password reset after a certain number of incorrect attempts;
– Limit the authentication time;
– Activate the captchas;
– Activate multi-factor authentication when possible;
– Consider using a password manager.