What is a Brute Force Attack?

September 06, 2024

Cybersecurity might as well have its own language. There are so many acronyms, terms, sayings that cybersecurity professionals and threat actors both use that unless you are deeply knowledgeable, have experience in the security field or have a keen interest, one may not know. Understanding what these acronyms and terms mean is the first step to developing a thorough understanding of cybersecurity and in turn better protecting yourself, clients, and employees.

In this blog series, we aim to explain and simplify some of the most commonly used terms. Previously, we have covered bullet proof hosting, CVEs, and APIs. In this edition, let’s dive into brute force attacks.

Brute Force Attacks 101

A brute force attack is an attack that involves trying to identify all possible combinations (usually passwords) to find a match of the credential via trial and error until entry is gained. The goal is usually to gain access and then steal sensitive, proprietary or corporate information. While brute force attacks are not a new method used by hackers and cybercriminals, it is on the rise, as a once time-consuming method, advancements in specialized and automated tools have made these attacks more feasible against weak security systems.

According to recent reporting, brute force attacks increased by 74 percent between 2021 and 2022. Other recent reporting from Kaspersky maintains that the most common attack vector for all ransomware attacks continues to be via account takeover utilizing stolen or brute forced credentials. In addition, Verizon reports that over 80% of breaches caused by hacking involve brute force or the use of lost or stolen credentials.

There are several types of brute force attacks:

Simple Brute Force Attack: attackers try all possible combinations without any shortcuts until the correct one is found.
Dictionary Attack: attackers use a precompiled list of words and common passwords to guess the correct password.
Hybrid Attack: attackers combine dictionary attacks with brute force methods. It starts with a dictionary list and then tries variations, such as adding numbers or symbols to the words.
Reverse Brute Force Attacks: attackers start with a publicly known or leaked password password and try it against multiple usernames.
Credential Stuffing: attackers test if historically exposed email addresses and password combinations are valid logins across multiple commercial websites.
Rainbow Table Attacks: attackers use precomputed tables of hash values for all possible passwords.

DarkOwl Vision Password Analysis

Last year, DarkOwl data scientists conducted a password analysis of all the passwords collected in DarkOwl Vision. 102,368,238 passwords were found that followed a yyyy-mm-dd format, and 13,223 with passwords with yyyy/mm/dd. While utilizing special characters like numbers is a good practice for password hygiene, the prevalence of users who incorporate a date into their password means that threat actors will leverage this to attempt to brute force accounts.

There are several password “cracking” tools readily available to hackers to conducting dictionary and brute force style password attacks. Some of the most popular tools include:

John the Ripper
Cain & Abel
OphCrack
THC Hydra
Hashcat
Brutus
RainbowCrack
CrackStation

Even the most sophisticated password crackers will need significant processing power and time to successfully break long, complex passwords. Unless an 8-character password includes numbers and symbols, the password can be potentially brute forced. The table below shows the time to needed to crack passwords of varying degrees of character length and complexity.

Brute Force Attacks in the Wild

Below are recent examples in the news of cyber groups reportedly using brute force attacks to hack accounts of individuals and organizations.

An organized crime group who operates throughout Ukraine had three members arrested by the Cyber Police of Ukraine. The suspects used brute-force to procure login credentials and then sell them on the darkweb for profit. Computers, phones, and bank cards were all seized from the residences of the people arrested.

Brute-forcing is not a sophisticated method of operation, but it is effective. Multi-factor authentication is a solid security step to take towards reducing the effectivity of brute-force operations. This incident also demonstrates how data from everyday activities such as login credentials from social media as well as banking, online bill pay, and more, can be weaponized. Actors take steps to steal this information and then gain financial profit from selling it, endangering personal accounts and digital hygiene for innocent people.

China’s “Earth Krahang” infiltrates organizations throughout 45 countries

Government organizations worldwide were the target of a two-year, Chinese state-sponsored campaign. Spear-phishing is employed to deploy backdoors while exposed internet-facing servers are also attacked, leading to a multi-pronged attack. The group uses open-source tools to build VPN servers and then brute-forces email accounts to procure passwords, focusing on compromised Outlook accounts.

Cisco cautions of increase in brute-force attacks targeting VPN, SSH services

Citing TOR exit nodes as the origin, Cisco issued a warning about broad attacks targeting Cisco VPNs, web services, and Mikrotik routers. The brute-force attempts use tunnels and proxies for anonymization. Patching is one of the simplest ways to offer protection against this method.

Successful attacks could result in locking users out of their accounts as well as provide unauthorized network access, enabling the theft of credentials, network metadata, and more damaging, sensitive information that could be used in other malicious operations.

Stealthy MerDoor malware uncovered after five years of attacks

A new Advanced Persistent Threat (APT) group named LanceFly is utilizing a custom, stealthy backdoor called “Merdoor” to target organizations in South and Southeast Asia since 2018. Methods for initial access are unclear, but Symantec has observed the group using methods such as phishing emails, SSH credential brute forcing, and others. Merdoor is put into “’perfhost.exe’ or ‘svchost.exe” which are both real Windows processes through DLL side-loading. The stealthy backdoor is persistent and can remain on devices between reboots. The backdoor establishes connection with a C2 server, from which it can be given instructions.

Brute Force Attacks in DarkOwl Vision

Cyber criminals and hackers frequently discuss vulnerabilities, tools techniques and procedures (TTPs), and on the darknet and darknet adjacent platforms. Below we share screenshots from DarkOwl Vision UI that highlight the use of brute force attacks. Vision UI is the industry leading platform for analysts to simply, safely, and comprehensively search darknet data. Vision provides a user-friendly interface with powerful querying capabilities to search, monitor, and create alerts for critical information.

GitHub

The first two screenshots below portray a Russian language user sharing a link to a GitHub repository containing brute force attack source code for android devices on the well know Russian language darknet forum, XSS. The second image portrays the same information in its original format directly on the XSS forum.

Figure 2: Brute force attack source code on GitHub; Source: Tor Anonymous Browser

In the screenshot below, threat actors discuss in a Discord channel a new scanning and brute force framework available on GitHub, praising the tools exceptional speed.

Figure 3: Discord channel showcasing a new brute force tool available on GitHub; Source: DarkOwl Vision

DarkOwl analysts also found darknet market posting offering brute force attack software in exchange for $500 USD worth of bitcoin. This poster claims that they have made $12,000 USD in 2 months using this software.

Figure 4: Darknet marketplace offering brute force attack method; Source: DarkOwl Vision

In addition, as we know, threat actors utilize the darknet and darknet adjacent sites to exchange information, best practices and ask questions. This is one of the reasons why it is so important to monitor this activity – we are learn about upcoming trends, what they are discussing and prepare for the attacks being planned. In the example below, an actor is asking the community how long they can expect a brute force attack to take.

Figure 5: Cyber threat actors discussing brute force attacks; Source: DarkOwl Vision

How to Defend Against Brute Force Attacks

Believe it or not, 98% of cyberattacks can be prevented with basic hygiene. Below are several tips to prevent brute force attacks and more in-depth password strengthening tips.

Strong password.
Lock accounts after a certain number of failed login attempts. This will limit automated guessing and automated tools.
Limit the number of login attempts that can be made within a given period of time. This will limit automated guessing and automated tools.
Monitor IP addresses for frequent login attempts.
Use multifactor authentication.
Use captchas to prevent bots from attempting to login.

Password Strengthening Tips

Everyone can follow some simple steps to ensure you employ robust password hygiene and reduce the risk of a password getting brute forced or exploited in a credential stuffing campaign.

Use an automated complex password Manager like Lastpass, BitWarden, or 1Password.
Don’t reuse passwords. Have unique password for every login and streaming service you sign up for.
Choose passwords at least 16 characters in length.
Include symbols and numbers for increased complexity.
Avoid using passwords with dictionary words or names.
Don’t use sequential numbers or the word “password”
Don’t use the year of your birth or anniversary in your password.
Turn on multi-factor authentication (MFA) for important accounts like financial and banking sites.