Leaked credentials are vectors for Different Types of Automated Attacks. Learn About Them and How to Protect Yourself

In January 2024, Microsoft announced that it suffered an attack resulting in unauthorized access to emails and documents belonging to executives and security and legal team members. What surprised many about this incident, beyond the attack itself, was the method of execution: a device within Microsoft's network was protected by a weak password without two-factor authentication.

The group Midnight Blizzard, which Microsoft attributed to the crime, tested various combinations, including previously compromised or commonly used passwords, until they found the correct one—an old and straightforward technique known as password spraying or horizontal brute force.

Leaked credentials can serve as vectors for a vast range of automated attacks that utilize different techniques, yet can be confusing due to their similarities in execution.

Common Attacks

Password Spraying
Password spraying is a type of attack where criminals attempt to access multiple accounts using the most common passwords. Unlike other methods that focus on a single account at a time, password spraying exploits the tendency for people to use simple, repetitive passwords across multiple accounts. This technique is also known as horizontal brute force.

Credential Stuffing
Unlike password spraying, where attackers use common passwords, credential stuffing involves criminals utilizing leaked credentials from a previous attack to try to access accounts on other services. This method relies on the common practice of reusing passwords across different platforms.

Vertical and Horizontal Brute Force
Vertical brute force focuses on a single account, attempting to guess its password through multiple attempts using a wide range of passwords. As mentioned earlier, horizontal brute force is another name for password spraying, focusing on multiple accounts using a single password or a small set of passwords.

How to Protect Yourself

1. Use Strong, Unique Passwords (and a Password Manager if Possible)
   Create strong, randomly generated passwords that are different for each account. Remember, it's not complexity but length that truly matters. While a complex password filled with symbols, numbers, and uppercase letters may seem ideal, longer passwords are generally more effective. Additionally, a password manager can be your best ally, as it can create and store complex passwords for you, making it easier to maintain a unique password for each service without needing to memorize them.

2. Enable Two-Factor Authentication (2FA)
   Two-factor authentication adds an extra layer of security, requiring not only the password but also a code generated by a device that only the user has access to.

3. Stay Updated
   Keep an eye on news regarding data breaches and change your passwords regularly, especially if you know that a platform you use has been compromised.

4. Education and Awareness
   Being aware of the types of attacks and how they are carried out can help identify intrusion attempts and avoid insecure practices, such as password reuse.

5. Anti-Automation Mechanisms
   Implement anti-automation mechanisms such as CAPTCHA or WAFs in your applications to distinguish humans from machines, making it more difficult to execute automated attacks. If that's not possible, consider using rate limiting to restrict the number of authentication attempts or implementing proof of work to make the process more costly for attackers.

Unxpose is Here for You

Unxpose offers a comprehensive solution to prevent cyberattacks, including checks to help your company avoid these types of attacks:

• Continuous monitoring of leaked credentials, prioritized automatically based on risk level, depending on the type of information found in the leak.

• Monitoring of cloud providers (AWS, Microsoft Azure, and Google Cloud) and identity providers, such as Google Workspace and Microsoft 365, to ensure that strong password policies are in place and a second factor of authentication is being required.

• Monitoring of your company's assets for authentication forms that do not have CAPTCHA.

And the best part? You can test all of this for free!