Thought leadership. threat analysis, news and alerts.
Why Single Factor Authentication Isn’t Enough to Protect Your Organization’s Network
Many of today’s cyberattacks have been successful, not because of advanced technology but because of one often ignored fact: the use of single factor authentication.
What Is Single Factor Authentication?
Single factor authentication is a cybersecurity measure that relies on the use of a username and password pair. While single factor authentication is commonly used in emails, this cybersecurity measure is also common as a perceived defensive measure in protecting endpoints – devices such as desktops and laptops that connect to a computer network and communicates back and forth with the network resources.
RDP Brute-Force Attacks
Single factor authentication has surprisingly been used as a defensive measure in protecting RDP, short for remote desktop protocol. RDP, a proprietary protocol developed by Microsoft, provides users with a graphical interface to connect to another computer over a network connection. In brute-forcing an RDP, a malicious actor attempts to sign in to an RDP with an administrator account by effectively guessing the correct username and password combination through a trial-and-error method. By successfully guessing the correct username and password combination, a malicious actor can gain access to a target computer and conduct further malicious activities such as stealing data, drop a ransomware or used the compromised computer for cryptocurrency mining.
In the blog post "Data science for cybersecurity: A probabilistic time series model for detecting RDP inbound brute force attacks" published in December 2019, Microsoft Defender ATP Research Team reported that out of nearly 45,000 computers that had both RDP public IP connections and at least one network failed sign-in, the team found that, on average, several hundred computers per day had high probability of experiencing one or more RDP brute force attack attempts.
API Credential Stuffing Attacks
Threat actors also exploit the use of a single factor authentication in gaining access to the victims’ IT infrastructure such as cloud server through credential stuffing attacks. In a credential stuffing attack, an attacker uses the single factor authentication credentials stolen from other data breaches.
The difference between credential stuffing attack and brute force attack is that in credential stuffing attack, guesses are based on the stolen usernames and passwords, while in brute force attack, guesses have no bases at all, with some attempts using characters at random.
In the past 10 years, billions of username and password combinations have been stolen from different individuals and organizations around the globe. These stolen usernames and passwords are publicly made available online, while others are sold online on the dark web.
Haveibeenpwned, a site that allows internet users to check whether their personal data has been compromised by data breaches has within its records millions of user accounts. In April 2019, the group known as “GnosticPlayers” released online breached records of nearly one billion users, including usernames and passwords.
While the success rate of credential stuffing attacks is only about 0.1% – which means that for every 1,000 attempts, roughly only one will succeed, the sheer volume of stolen single authentication credentials makes credential stuffing worth it. The success rate of 0.1%, for instance, for one million attempts could lead to nearly 1,000 successful cracked accounts.
APIs, short for application programming interfaces, are favourite targets by malicious actors in their credential stuffing attacks. An API allows two systems to communicate with one another. APIs allow easy access to a third-party platform, for instance, cloud storage. From December 2017 to November 2019, Akamai reported that it observed nearly 85.5 billion credential stuffing attacks across its customer base. Out of the 85.5 billion credential stuffing attacks, Akamai said 16.5 billion of these attacks were directed against hostnames that were clearly identified as API endpoints – referring to one end of a communication channel such as a URL of a server.
Brute force attackers and credential stuffing attackers are unstoppable because systems allow users to guess as many username and password combinations without limit. While some mitigate these two types of attacks through throttling, attackers bypass throttling by staging a low and slow approach.
Akamai reported that credential stuffing attackers take advantage of the unlimited guesses by guessing tens of thousands of credentials in minutes. Microsoft Defender ATP Research Team, meanwhile, reported that RDP brute force attacks often last for 2-3 days on average, with about 90% of cases lasting for 1 week or less, and less than 5% lasting for 2 weeks or more.
Cybercriminals are able to launch millions of these brute force and credential stuffing attacks in just a short span of time through the use of internet bots – referring to software applications that run automated tasks over the internet. To automate brute force or credential stuffing attacks, botnets are used by attackers. Botnets refer to a group of hijacked computers and controlled by cybercriminals to conduct malicious activities such as brute force attacks, credential stuffing attacks and distributed denial-of-service (DDoS) attacks.
By utilizing botnets, attackers are able to launch several login attempts simultaneously. The use of botnets or group of hijacked computers makes it appear that the login attempts come from different computers from different locations. Some botnets hijacked a few thousands and some hijacked millions of computers. The use of botnets bypasses security measures such as banning IP addresses with too many failed logins.
The use of multi-factor authentication effectively blocks brute force and credential stuffing attacks. In multi-factor authentication, aside from the correct username and password combination, a user is asked to provide additional information such as access token, face ID or a fingerprint – generally, things that bots can’t provide.
While we always recommend a multi-factor authentication, in many cases, businesses don’t evaluate basic IT controls and fall victim to cyberattacks.
Connect with us today and our team will evaluate your IT controls to ensure that decision makers understand the business impact and clearly understand what they need to focus on, both long and short-term.
Steve E. Driz, I.S.P., ITCP