The alarming reality of a billion stolen passwords circulating on dark web criminal marketplaces, coupled with the ongoing threat of infostealer malware attacks, has unfortunately paved the way for cybercriminals to increasingly employ automatic password hacking machines in their malicious activities, reports Forbes.
New Alert Issued
The Microsoft Threat Intelligence team has issued a new alert highlighting the increasing exploitation of unsecured workload identities by hackers to gain unauthorized access to containerized environments. Microsoft’s research indicates that a significant 51% of these workload identities have been completely inactive over the past year, making them an attractive and vulnerable attack surface for malicious actors. The Microsoft report emphasizes that as organizations increasingly adopt containers-as-a-service, their Threat Intelligence team is actively monitoring the unique security threats that specifically target these containerized environments.
One such threat identified is a password spraying attack that has been attributed to the threat group Storm-1977. This particular campaign specifically targeted cloud tenants within the education sector.
The password spraying attack leveraged a command-line interface tool known as AzureChecker. According to the report, this tool was used to “download AES-encrypted data that, when decrypted, reveals the list of password spray targets.” Adding to the sophistication of the attack, AzureChecker also accepted an accounts.txt file as input, which contained the specific username and password combinations intended for the attack. Microsoft explained the subsequent steps: “The threat actor then used the information from both files and posted the credentials to the target tenants for validation.” This allowed the attackers to attempt to gain access to numerous accounts using commonly used passwords.
Mitigating Threats
You know, talking to cybersecurity folks – and trust me, I chat with tons of them daily – the answer to those annoying password spraying attacks is pretty straightforward: ditch the passwords altogether. Now, I get it, that’s a big ask for a lot of situations, but the shift towards a password-free world is already happening as people start using passkeys.
Chris Burton, the head honcho of professional services at Pentest People, put it plainly: “Where possible, we should be using passkeys; they’re way more secure, even if not everyone’s using them yet.” And Lorri Janssen-Anessi, who’s in charge of external cyber assessments at BlueVoyant, is just as firm on going passwordless. She pointed out that because not enough people use multi-factor authentication and, let’s face it, we humans can be the weak link in security, “businesses should also consider passwordless solutions.” Janssen-Anessi reckons that authentication using things like fingerprints and secure tokens will “become increasingly mainstream going forward.” So, it sounds like the writing’s on the wall for old-fashioned passwords.
Did you subscribe to our daily Newsletter?
It’s Free Click here to Subscribe!
Source: Forbes
