Published on the 01/11/2022 | Written by Heather Wright
We’re still making it too easy for attackers…
Forget about attackers attempting to crack passwords. They’re largely taking advantage of weak password management – and an abundance of password lists – to gain entry to corporate systems via two of the most popular remote admin protocols.
The report Good Passwords for Bad Bots from security firm Rapid7 looked at attacks via the Secure Shell and Remote Desktop protocols, with the research team cross-checking attempted logins to its network of ‘honeypots’ – decoys set up to detect, deflect and study hacking attempts – against an ‘industry-standard list of exposed passwords’.
“We still collectively stink at password management.”
Of the 512,002 unique passwords attempted by the honeypot attackers, just 14 were not included in a single well-known password list used by both pentesters and attackers – the rockyou2021 list which includes 8.4 billion exposed passwords (without corresponding user names, it should be noted).
Of the 14 not found in the list, Rapid7 director of research Tod Beardsley says “We think those were likely errors as they included a string of the honeypots’ IP addresses in them.
“Unless they are signs of some dastardly attack that we haven’t seen before, they are likely insignificant.”
Beardsley says if attackers were using automated tools to crack passwords online, we’d see a lot more of them.
“We conclude from this observation that online credential attackers are not generating truly random passwords, but are instead working entirely off lists of guessable passwords’, the report says.
The most common user names are defaults built into operating systems and the most commonly attempted passwords tend to be well-known passwords.
The most commonly used RDP user names were ‘administrator’, ‘user’ and ‘admin’ while the most common passwords were ‘root’, ‘admin’ and ‘nproc’. One of the most popular passwords – the top SSH password in fact – was literally ‘123456’. And number 11 on the list? ‘123456789’. Password, 123, abc123, admin123 and even 1 all made the top 20 SSH list.
“What we found in many ways confirmed our assumptions. Attackers aren’t ‘cracking’ passwords on the internet; and we still collectively stink at password management,” Beardsley says.
Instead, hackers are still relying on the ‘human connection to security infrastructure – notoriously one of the weakest links in the chain.
“Social engineering, like phishing for passwords, and credential stuffing (ie. trying known passwords across other targeted platforms to catch someone reusing identical usernames and passwords) are still stronger ways for attackers to gain access to passwords than cracking them automatically,” Beardsley says in a blog post.
“What this tells us in practicality is that it’s not terribly hard to avoid this class of attack. In fact, some of the most attacked credentials were ones that should make any internet-literate person facepalm hard.”
Beardsley suggests the solution is as simple as having randomness in your passwords, not reusing them for multiple logins and above all not using default passwords. But for those charged with keeping company networks safe, that’s likely not that simple, as users struggle with a plethora of passwords, with some reports suggesting on average 100 passwords per user to keep track of.
Earlier this year an IDC Global Survey on Identity and Access Management found that balancing company security requirements and the employee user experience was the number one identity challenge, followed by employees struggling with too many passwords.
The report found 83 percent of the organisations surveyed who had suffered a security breach believed it resulted from a compromised password or identity compromise such as phishing.
But while phishing simulations are increasingly being used by local companies, poor password hygiene apparently still abounds.
KnowBe4 says globally, passwords are reused 64 percent of the time while Cisco Duo says 57 percent of Australian consumers admit using the same password for multiple online accounts.
Worse, the 2022 Annual Identity Exposure report from SpyCloud found 70 percent of users breached in 2021 were still using the same exposed passwords found in the previous year’s breach and 82 percent of users with at least two exposed credentials had exactly matching passwords in both breaches.
Kiwis appear to be doing slightly better, with Cert NZ’s Cybersecurity Attitudes and Motivations report, released in August, noting 57 percent of those surveyed reported using ‘strong’ passwords of 10+ characters with no personal information in them, and 45 percent saying they use different passwords across accounts. Fifty-one percent also reported using two-factor authentication.
Cert has urged people to use passphrases – a string of four or more random words such as MyPerfectlyTrimmedHedge (though the team here at iStart do have some question marks on that specific example from Cert NZ…)
The agency added password managers to its critical controls list in 2021.
The Australian Cyber Security Centre has also recommended using passphrases.
Rapid7, meanwhile, suggests companies ensure default passwords for SSH and RDP servers, including those shipping with IoT and cloud solutions are changed prior to deployment and that companies audit SSH and RDP endpoints for default passwords using the open-source Defaultinator database of default credentials.
Encouraging a corporate culture of randomly-generated strong passwords using commonly-available password management solutions and routinely scanning their internet presence to discover SSH and RDP endpoints is also recommended.
