This post is also available in: Danish

Cybersecurity has become a vital cog in any company, regardless of profile. Business-owners learned that malicious attacks and hackers are not be underestimated. A ransomware report put together by Coveware shows that companies had to pay an average of $84,000 to retrieve data encrypted by Ryuk and Sobinoki. The same report also mentions that the post-payment data-retrieval success rate is 98%.

Encouraging, but not exactly an assurance. Ransomware is not the only malware to hit corporate. Heimdal™ Security, along with many other cybersecurity actors, has ‘seen’ what can best be described as a resurgence of the brute force attack, one the most rudimentary, but unexpectedly efficient cyber-aggression.

Normally, brute force attacks would be neutralized either by an installed, multi-feature anti-malicious agent or by altering the login rules and policies. However, the circumstances preclude the deployment of adequate defenses.

In this article, we are going to reexamine brute force attacks – what they are, how they work, and how to formulate a proper defense strategy. We shall also touch upon the matter of BFA resurgence and present Heimdal™ Security’s telemetry, attempting to correlate remote work with brute force attack.

The Pathology of a Brute Force Attack

In cryptography, a brute-force attack* is a type of cyber-aggression that key-derivation functions in an attempt to ‘guess’ the password or passphrase on the target machine. It’s also called a cryptanalytic attack since brute force attacks rely on cryptologic functions to ‘crack’ the cipher and infiltrate the machine.

Many believe BFAs to be crude, rudimentary, and rough. Nothing could be further from the truth. According to the paper A Study of Passwords and Methods Used in Brute-Force SSH Attacks by Jim Owens and Jeanna Matthews of Clarkson University’s Department of Computer Science, brute-force attacks rely heavily on password and passphrase dictionaries and on cryptologic ‘magic tricks’ that allow the malicious actors to guess the user’s credentials.

The outstanding analogy is that of a digital padlock – the attacker, with no hint about the password’s constitution, which, in the case of padlock is a combination of numbers (i.e. some even employ alpha-numeric symbols), will attempt to unlock the imaginary security device by permutating the numbers or symbols. The readers well-versed in the point-and-click adventure genre will undoubtedly recognize in this analogy the most tedious and time-consuming puzzle.

These cryptologic curios are nothing if not ‘cerebral’. The above-mentioned study points out that even the ‘scrawniest’ attack employs sophisticated attack patterns for password-guessing. Since we’re on the topic of curiosities, the reader may perhaps be interested to know that not all operating systems react the same way when they come across a brute-force attack.

For instance, a study undertaken by cybersecurity mi2g reveals that machines running Linux are more vulnerable to brute-force attacks compared to those running Microsoft’s proprietary operating systems or Mac OSX. Although aware of his vulnerability, Linux software engineers have yet to come up with a solution to fix this exploitable loop.

Brute-force-attacking a machine or a network is a laborious process, and, under normal circumstances, with a low success rate. It takes a lot of processing power to ‘guess’ the right sequence of alphanumerical symbols, not to mention time.

GPU-Assisted Brute-Force Attacks

In an article written for Codding Horror’s blog, author Jeff Atwood point out that hardware-assisted brute-force attack cracking methods have proven to be even more effective compared to ‘CPU-only’ methods. Atwood, who did extensive research on hardware-augmented code-cracking systems, stated that BFAs backed up by GPUs can increase the speed by a factor of 25. In defense of his statement, Atwood quoted Vladimir Katalov’s paper.

Katalov, the CEO of ELCOMSOFT (desktop, mobile, and cloud forensics provider), wrote that GPU-augmented BFAs are 25 times faster and can anywhere from several minutes to a couple of days to crack a password, as compared to GPU-only attempts which can two to three months to decode a Windows login passphrase.

For this experiment, ELCOMSOFT used an Nvidia 8800 Ultra GPUS which, at that time, was around $800. However, Katalov mentioned that satisfactory results could also have been achieved by using a $150 dedicated graphics card.

The paper concluded that the GPU-unassisted code-cracking system would take several months to processes an eight-character password string, composed of upper- and lowercase letters and additional symbols.

There would about 55 trillion (52 to the eighth power) possible passwords. Windows Vista uses NTLM hashing by default, so using a modern dual-core PC you could test up to 10,000,000 passwords per second, and perform a complete analysis in about two months.

Oversimplifying the mechanism, one can say that permutational vistas are what make brute-force attacks tick. Let us build on that last statement.

(*) Attackers can also try to ‘guess’ the key (info that determines the output of a crypto algorithm. This is called an exhaustive key search (attack). It’s carried out through a method called a key derivation function.

 Brute-Force attacks by strike pattern

Depending on the strike pattern, brute-force attacks can be divided into two major categories:

1. Password-reliant BFAs

The most common form of a password-reliant brute-force attack is the one taking advantage of username and password pair(ing). It’s not uncommon for machines to be ‘secured’ by username-password pairs such as:

Username: root
Password: root
Username: guest
Password: guest
Username: admin
Password: admin

Password-reliant BFAs can potentially account for variations in usernames and passwords. For instance, the admin username can incorporate a numerical prefix (or suffix).  The same code-generating principle can be applied when formulating the password appended to the username.

Username: root123
Password: root123
Username: guest56%
Password: guest56%
Username: admin983
Password: admin983

Username-password pairs need not be generic or semantically related to access governance-assigned roles: guest, admin, webmaster, user, etc. They can also incorporate names or surnames, the latter category being more prevalent than the first one. The name/surname pair may be accompanied by alphanumerical characters for additional strength. It’s not uncommon to find dissimilarities in user-pass generation (i.e. password doesn’t match the username or vice-versa)

As a result, on boot, a machine can accept the following credentials:

Username: Joshua
Password: Joshua
Username: joshua569
Password: joshhua569
Username: Joshua563
Password: admin

Malicious actors can take advantage of certain commonalities in password and username creation to facilitate infiltration. For additional information regarding password faux pas, refer to Bianca Soare’s article Password mistakes you and your employees are (probably) making and Miriam Cihodariu’s password rundown article Top 550+ funny passwords ever encountered.

2. BFAs with ‘attack’ dictionaries

Attack dictionaries are comprehensive databases containing username-passwords pairs used in previous brute-force attacks. BFAs, especially those targeting HVTs (high-value targets) employ shared attack dictionaries (i.e. dictionaries used to conduct multiple attacks, sometimes against the same machines). The major advantage of using this striking method resides within the dictionary’s innate ability to compensate for orthographic and phonetic variations. For instance, root, one of the most common Windows login usernames can have any number of representations. Besides, it can also encapsulate numerical and other types of characters (i.e. root1, root_1, 1_root_1, r00t, etc.)

 Attack dictionaries cannot be downloaded or imported, although there is the possibility of attack dictionary transposition from one attack to another. Popular brute-force attack software such as Cain & Abel, Crack, John the Ripper, or the Metaspoit Project comes with built-in attack dictionaries that dramatically decrease the time it takes to compute a username-password pair.

Brute-force attack methods

Depending on the attack methodology employed, brute-force attacks can be divided into two major categories:

1. Prolonged

The targeted machine will be assailed over a long period. It can vary from several days to a couple of weeks, depending on the user-pass pair strength, pair length, computational speed, code-cracking method, and countermeasures. BFA research has revealed that a single machine can sustain between 50 and 100 brute-force attacks per day. Also, the access requests can be launched from more than one IP address. Prolonged brute-force attacks have increased chances of being detected.

2. Distributed

‘Surgical’ brute-force strikes – better time, IP, and attack distribution increases the obfuscation factor. In the case of distributed brute-force attacks, login attempts will be in the form of short and highly ‘concentrated’ bursts (e.g. 40 login attacks initiated from a single IP, distributed over 3 to 4 minutes).

Conclusions: decreased detection rate and increased chances of success.

Case study – Limitations of a Brute-Force Attack

Brute-force attacks do have their shortcomings. The available literature on the subject reveals that despite their devastating effectiveness against SSH encryption protocols, they have little to no effect on 128-bit keys, such as the one used by modern data-encryption algorithms such as AES.

The argument is at follows:

Any 128-bit is considered to be computationally secure against brute-force attacks since the amount of computational energy require to check every generated key and cycle through each key space would be tremendous. Furthermore, a brute-force attack would invariably generate entropy, considering that it employs conventional code-breaking operations.

The reasoning is supported by the so-called Landauer limit. According to this physical principle, there is a low energy threshold required to produce any type of computation. It is expressed as

kT * ln2

*per every bit erased during the said computation.

 The principle dictates that no machine can use less energy to perform computations. Thus, taking into account that the processor outputs circa 300-degree Kelvin during the computational process and ln2 is about 0.7, this would mean that for a standard 128-bit key, them processor would require 2128– 1 bit flips (i.e. algorithmically manipulation of bits and data shorter than one word).

The energy required to make the computations amounts to 30 gigawatts (value computed by applying the Von Neumann-Landauer Limit).

For the entire process to unfold, the machine would require circa 263 terawatts per hour to cycle through the so-called key stage. The ‘by-product’ of this extensive computational ‘effort’ will undoubtedly be entropy.

BFA – RDP Matchmaking in the Context of Post-Lockdown Phase

Vulnerabilities in RDP’s encryption has made it possible for malicious actors to enter the machine unhampered and perform various actions. Heimdal™ Security telemetry reveals a staggering increase in brute-force attacks.

For instance, there is a 25,000% increase in the January-February timeframe, compared to the previous interval (December-January). Though baffling, considering the uncannily high percentage, the amplitude of the phenomenon has been registered in late March (over 9,000 brute-force attacks in one day). The phenomenon appears to be diminishing in early April. Relative flatline detected at the end of May.

We consider March as the absolute boiling point of brute-force attacks – with over 150,000 attacks (an average of 5,400 brute-force attacks per day) registered, most occurred at least twice per day, but from different IP addresses.

In April, Heimdal™ Security’s telemetry has revealed a visible drop, both in terms of intensity and number.

Come May, those numbers will further decline. However, this sudden change of pace should not be mistaken for a return to normalcy, since the May numbers are significantly higher compared to our proposed baseline (January).

This sudden drop (~88%) can be explained by the decision-makers in our database ordering additional cybersecurity Heimdal™ Security countermeasures for the remote workforce and the subsequent reinforcement of detection and mitigation grid. Distribution concerned, in January, the phenomenon follows a discontinuous trend.

Our data indicate a 7-day attack gap, signaled at the beginning of the month. Mid-January, gapping decreases – attacks are 2 to 3 days apart. In February, the gapping reaches the lowest threshold (brute-force attacks registered each day). As far as March and April are concerned, there are no visible gaps in BFAs. The same statement has been validated in May.

Statistical analysis has revealed that 98.5% of attacks have been concentrated around the RDP port (3389). The rest targeted the logon screen. No critical breaches or data exfils have been detected. Refer to the graph below to see the evolution of the BFA phenomenon.

Dealing with brute-force attacks

Below, you will find a list of quick actions you can take to protect your machine against brute-force attacks.

1. Download Microsoft’s legacy patch

In May 2019, Microsoft released the CVE-2019-0708 patch to prevent remote code execution via RDP. You can download the patch from Microsoft’s support page.

2. Enable Network Level Authentication

NLA will add an extra layer of protection since it requires the user to authenticate themselves before the session initiation. To do that, open Control Panel, head to System and Security and click on System.

Go to Remote Settings, click on Remote, and then on Remote Desktop. Highlight the option “Allow connections only from computers running a remote desktop with Network Level Authentication.”

3. Manually block TCP port 3389

Head to Control Panel, select System and Security, and click on Windows Firewall. Head to Advanced Setting >> Inbound Rules, click on New Rule, and then choose your Port. When you’re done, click Next. Highlight TCP and then select Specific Local Ports. Type in 3389. Click on next, type in a name for your newly created rule and then click on Finish.

4. Enforce 2FA for RDP requests

Tokens can be used to enforce two-factor authentication for RDP connections. Refer to Microsoft’s documentation on 2FA rule enforcement for setup and configuration.

5. Deploy an endpoint security solution with port-blocking features

E-PDR solutions like Heimdal™ Next-Gen Antivirus & MDM​ have built-in countermeasures that protect your endpoints against RDP-directed cyber-aggressions, brute-force attacks, or similar.

6. Determine if your endpoint has been subjected to brute-force attack

According to Microsoft, machines assaulted and/or compromised as a result of a brute-force attack have tell-tale signs. Here are the signals you should look out for:

  1. Hour of day and day of the week of failed sign-in and RDP connections;
  2. Timing of successful sign-in following failed attempts;
  3. Event ID 4625 login type (filtered to network and remote interactive);
  4. Event ID 4625 failure reason (filtered to %%2308, %%2312, %%2313);
  5. Cumulative count of distinct username that failed to sign in without success;
  6. The count (and cumulative count) of failed sign-ins;
  7. Count (and cumulative count) of RDP inbound external IP;
  8. Count of other machines having RDP inbound connections from one or more of the same IP.

via Microsoft Security Blog


The recent revival in brute-force attacks proves that endpoints have yet to achieve complete security. Given the right circumstances, even something as basic and crude as a brute-force attack can be devastating.

Leave a Reply

Your email address will not be published. Required fields are marked *