Brute-Force Attacks: The Growing Threat to Your Accounts

Who should read this?

• Individual users – Anyone using weak passwords for personal or organizational online accounts.
• Organizations – Businesses that store sensitive data, manage user accounts, or provide online services.
  

What is a brute-force attack?

A brute-force attack happens when attackers keep trying every possible password until they get it right. These attacks are becoming more common and dangerous as attackers use networks of infected devices to rapidly test multiple password combinations. With these networks, attackers can try millions of password combinations at once, increasing the likelihood of success.
For example, recently:

• A large-scale cyber attack targeted VPN devices, using over 2.8 million computers to guess weak passwords. VPNs are tools that help protect online privacy by hiding your connection and encrypting your data. If successful, attackers can easily access sensitive business and personal information.
• Attackers are increasingly using several tools to automatically try many different passwords quickly. These tools help them break into services like Microsoft 365 accounts by guessing passwords faster and more efficiently.
  

These incidents show how attackers are evolving. By using more devices and automation, they’re able to bypass weak security measures, making it harder for organizations and individuals to protect their data.

Why does this happen?

1. Weak passwords – Many people still use simple or default passwords, such as “123456” or “password,” which are easy for attackers to guess.
2. Large-scale attack – Attackers use networks of compromised devices (botnets) to launch attacks on a massive scale, allowing them to try millions of passwords in a short time. This makes the attack harder to stop.

What’s the risk?

• Unauthorized access to multiple accounts-Once attackers crack one password, they may gain access to other accounts if you use similar passwords. This can lead to a widespread breach of your personal or business systems, putting more data at risk.
• Spreading of malware-After breaking in, attackers might install harmful software on your system, which can steal your data, damage your files, or even use your device to attack others.
• Misuse of stolen data-Attackers may steal sensitive data, which can then be used for malicious purposes, such as identity theft, fraud, or blackmail. The stolen data could also be sold on the dark web or used in further cyber attacks.

How to stay safe?

For individual users

1. Follow the company’s password policy – Many devices, including routers and VPNs, come with weak, default passwords that attackers can easily guess. Be sure to change any default passwords and ensure your new password meets the complexity requirements as per company policy.
2. Don’t reuse passwords – Using the same password for multiple accounts increases the risk of an attack. If attackers get into one account, they could easily access the others, too. Always use unique passwords for each account.
3. Check your devices – Look for strange apps or processes running on your devices, especially if you notice your system slowing down or acting strangely. This could be a sign your device is part of a botnet.
4. Ensure MFA is activated – If your organization has implemented Multi-Factor Authentication (MFA), make sure it is activated for your account. If it’s not yet set up, reach out to your IT or security team for assistance.

For organizations

1. Set limits on login attempts – Configure systems to automatically block IP addresses after a certain number of failed login attempts. This can make brute-force attacks much harder to carry out.
2. Use account lockouts for multiple failed logins – After a set number of failed login attempts, lock accounts for a specified period or require manual intervention for a reset. This will limit automated attacks.
3. Monitor login patterns – Pay attention to unusual login times, IP addresses, or multiple login attempts from the same account. Detecting these patterns early can help stop an attack before it succeeds.
4. Disable unused accounts – Just changing passwords isn’t enough—ensure that old, unused accounts are completely disabled to prevent attackers from exploiting them.

References

1. Cyber Security News on Hackers Using HTTP Client Tools
2. TechRadar: Huge Cyber Attack Targeting VPN Devices
3. Bleeping Computer: Massive Brute-Force Attack Targeting VPN Devices
4. Cyber Security Dive: Brute-Force Attacks Using Botnets
5. Forbes: 28 Million Devices in New Hack Attack
6. Forbes: FBI Warns About Brute-Force Password Spy Attacks