COVID-19 Cyber Threats: Brute Force Attacks
While it’s still safer to stay at home during the COVID-19 pandemic, it doesn’t mean that you are safe. There are now more cyber threats than ever before.
Aside from phishing, which seems to be the number one threat at the moment, Kaspersky statistics showed that brute force attacks on databases and web attacks have grown by almost 25% since January, while most people were working from home.1
“A brute force attack is the cyberattack equivalent of trying every key on your key ring, and eventually finding the right one.”2 Attackers use a computer to try different combinations of usernames and passwords until they gain unauthorized access.
There are different types of brute force attacks. The most basic one is the dictionary attack. The computer starts with some assumptions about common passwords like ‘password’ and then guesses from a dictionary list.
Credential recycling is also a type of brute force attack that reuses usernames and passwords from other data breaches.
Reverse brute force attacks make use of common passwords like ‘password’ and continue until it finds a username that match. You might be thinking that no one uses ‘password’ as a password, but it was the most common password in 2017 and people are now still using it with different combinations like ‘Password1!’.
A brute force attacker’s motivation may include stealing information, infecting sites with malware, or disrupting service.
Any updated computer can crack an eight character alphanumerical (Letters and numbers) password in two hours and decrypt a weak encryption hash in mere months. Hackers use various tools such as Aircrack-Ng, Hashcat, Cain & Able and John the Ripper.
Cyber security lessons learned
Most of the defences are about increasing the time required, but that is not the only defence. You can do the following to prevent a brute force attack on your accounts:
- Increase password length,
- Increase password complexity (Make use of alphanumerical passphrases),
- Limit login attempts (lock out a user after 5 failed attempts),
- Implement Captcha (Captcha is a system to verify that you are human which can stop brute force attacks in progress),
- Use multi-factor authentication (MFA adds a second layer of security that requires human intervention).
“It’s also important to highlight the role of identity in cyber breaches. Between July and December, 74 percent of malicious or criminal data breaches reported were as a result of compromised identity. This means that whether through phishing, stolen or compromised credentials or brute force attacks, malicious actors are elevating attacks through identity access to find personal and sensitive data.”3
1 Geronimo, A. (2020, May 27). The other side of quarantine: cyber threats continue to grow worldwide. https://www.tahawultech.com/industry/technology/other-side-quarantine-cyber-threats-grow-worldwide/
2 Petters, J. (2020, March 29). What is a Brute Force Attack?. https://www.varonis.com/blog/brute-force-attack/
3 Birmingham, A. (2020, June 4). Australia’s Healthcare Sector May Be Under Reporting PII Data Breaches: ForgeRock MD. https://which-50.com/australias-healthcare-sector-may-be-under-reporting-pii-data-breaches-forgerock-md/