{
	"id": "ebe7ab2c-bcef-4779-94ed-9d8a2ac6c6f8",
	"created_at": "2026-04-06T00:19:08.604965Z",
	"updated_at": "2026-04-10T13:11:25.101146Z",
	"deleted_at": null,
	"sha1_hash": "2f2b3e36cd5f7cc682ae2bf1ae47f1f0dbb634b5",
	"title": "Brute Force Attacks Conducted by Cyber Actors | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 49662,
	"plain_text": "Brute Force Attacks Conducted by Cyber Actors | CISA\r\nPublished: 2020-05-06 · Archived: 2026-04-05 21:03:16 UTC\r\nSystems Affected\r\nNetworked systems\r\nOverview\r\nAccording to information derived from FBI investigations, malicious cyber actors are increasingly using a style of\r\nbrute force attack known as password spraying against organizations in the United States and abroad.\r\nOn February 2018, the Department of Justice in the Southern District of New York, indicted nine Iranian\r\nnationals, who were associated with the Mabna Institute, for computer intrusion offenses related to activity\r\ndescribed in this report. The techniques and activity described herein, while characteristic of Mabna actors, are not\r\nlimited solely to use by this group.\r\nThe Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) are releasing this\r\nAlert to provide further information on this activity.\r\nIn a traditional brute-force attack, a malicious actor attempts to gain unauthorized access to a single account by\r\nguessing the password. This can quickly result in a targeted account getting locked-out, as commonly used\r\naccount-lockout policies allow three to five bad attempts during a set period of time. During a password-spray\r\nattack (also known as the “low-and-slow” method), the malicious actor attempts a single password against many\r\naccounts before moving on to attempt a second password, and so on. This technique allows the actor to remain\r\nundetected by avoiding rapid or frequent account lockouts.\r\nPassword spray campaigns typically target single sign-on (SSO) and cloud-based applications utilizing federated\r\nauthentication protocols. An actor may target this specific protocol because federated authentication can help\r\nmask malicious traffic. Additionally, by targeting SSO applications, malicious actors hope to maximize access to\r\nintellectual property during a successful compromise. \r\nEmail applications are also targeted. In those instances, malicious actors would have the ability to utilize inbox\r\nsynchronization to (1) obtain unauthorized access to the organization's email directly from the cloud, (2)\r\nsubsequently download user mail to locally stored email files, (3) identify the entire company’s email address list,\r\nand/or (4) surreptitiously implements inbox rules for the forwarding of sent and received messages.\r\nTechnical Details\r\nTraditional tactics, techniques, and procedures (TTPs) for conducting the password-spray attacks are as follows:\r\nUsing social engineering tactics to perform online research (i.e., Google search, LinkedIn, etc.) to identify\r\ntarget organizations and specific user accounts for initial password spray\r\nhttps://www.us-cert.gov/ncas/alerts/TA18-086A\r\nPage 1 of 3\n\nUsing easy-to-guess passwords (e.g., “Winter2018”, “Password123!”) and publicly available tools, execute\r\na password spray attack against targeted accounts by utilizing the identified SSO or web-based application\r\nand federated authentication method\r\nLeveraging the initial group of compromised accounts, downloading the Global Address List (GAL) from a\r\ntarget’s email client, and performing a larger password spray against legitimate accounts\r\nUsing the compromised access, attempting to expand laterally (e.g., via Remote Desktop Protocol) within\r\nthe network, and performing mass data exfiltration using File Transfer Protocol tools such as FileZilla\r\nIndicators of a password spray attack include:\r\nA massive spike in attempted logons against the enterprise SSO portal or web-based application;\r\nUsing automated tools, malicious actors attempt thousands of logons, in rapid succession, against\r\nmultiple user accounts at a victim enterprise, originating from a single IP address and computer\r\n(e.g., a common User Agent String).\r\nAttacks have been seen to run for over two hours.\r\nEmployee logons from IP addresses resolving to locations inconsistent with their normal locations.\r\nTypical Victim Environment\r\nThe vast majority of known password spray victims share some of the following characteristics [1][2]:\r\nUse SSO or web-based applications with federated authentication method\r\nLack multifactor authentication (MFA)\r\nAllow easy-to-guess passwords (e.g., “Winter2018”, “Password123!”)\r\nUse inbox synchronization, allowing email to be pulled from cloud environments to remote devices\r\nAllow email forwarding to be setup at the user level\r\nLimited logging setup creating difficulty during post-event investigations\r\nImpact\r\nA successful network intrusion can have severe impacts, particularly if the compromise becomes public and\r\nsensitive information is exposed. Possible impacts include:\r\nTemporary or permanent loss of sensitive or proprietary information;\r\nDisruption to regular operations;\r\nFinancial losses incurred to restore systems and files; and\r\nPotential harm to an organization’s reputation.\r\nSolution\r\nRecommended Mitigations\r\nTo help deter this style of attack, the following steps should be taken:\r\nEnable MFA and review MFA settings to ensure coverage over all active, internet facing protocols.\r\nhttps://www.us-cert.gov/ncas/alerts/TA18-086A\r\nPage 2 of 3\n\nReview password policies to ensure they align with the latest NIST guidelines [3] and deter the use of\r\neasy-to-guess passwords.\r\nReview IT helpdesk password management related to initial passwords, password resets for user lockouts,\r\nand shared accounts. IT helpdesk password procedures may not align to company policy, creating an\r\nexploitable security gap.\r\nMany companies offer additional assistance and tools the can help detect and prevent password spray\r\nattacks, such as the Microsoft blog released on March 5, 2018. [4]\r\nReporting Notice\r\nThe FBI encourages recipients of this document to report information concerning suspicious or criminal activity to\r\ntheir local FBI field office or the FBI’s 24/7 Cyber Watch (CyWatch). Field office contacts can be identified at\r\nwww.fbi.gov/contact-us/field. CyWatch can be contacted by phone at (855) 292-3937 or by e-mail at\r\nCyWatch@ic.fbi.gov. When available, each report submitted should include the date, time, location, type of\r\nactivity, number of people, and type of equipment used for the activity, the name of the submitting company or\r\norganization, and a designated point of contact. Press inquiries should be directed to the FBI’s national Press\r\nOffice at npo@ic.fbi.gov or (202) 324-3691.\r\nReferences\r\n[4] Microsoft. Azure AD and ADFS best practices: Defending against password spray attacks\r\nRevisions\r\nMarch 27, 2018: Initial Version\r\nSource: https://www.us-cert.gov/ncas/alerts/TA18-086A\r\nhttps://www.us-cert.gov/ncas/alerts/TA18-086A\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.us-cert.gov/ncas/alerts/TA18-086A"
	],
	"report_names": [
		"TA18-086A"
	],
	"threat_actors": [
		{
			"id": "42e41377-c64c-4be9-87a0-ee903e4b9055",
			"created_at": "2023-01-06T13:46:38.950322Z",
			"updated_at": "2026-04-10T02:00:03.158476Z",
			"deleted_at": null,
			"main_name": "Silent Librarian",
			"aliases": [
				"Mabna Institute",
				"TA407",
				"TA4900",
				"Yellow Nabu",
				"COBALT DICKENS"
			],
			"source_name": "MISPGALAXY:Silent Librarian",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "7ba9e3e3-1cef-4e20-be7e-95f05e8295d7",
			"created_at": "2022-10-25T16:07:23.821494Z",
			"updated_at": "2026-04-10T02:00:04.759302Z",
			"deleted_at": null,
			"main_name": "Mabna Institute",
			"aliases": [
				"Academic Serpens",
				"Cobalt Dickens",
				"G0122",
				"Mabna Institute",
				"Silent Librarian",
				"TA407",
				"TA4900",
				"Yellow Nabu"
			],
			"source_name": "ETDA:Mabna Institute",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434748,
	"ts_updated_at": 1775826685,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2f2b3e36cd5f7cc682ae2bf1ae47f1f0dbb634b5.pdf",
		"text": "https://archive.orkl.eu/2f2b3e36cd5f7cc682ae2bf1ae47f1f0dbb634b5.txt",
		"img": "https://archive.orkl.eu/2f2b3e36cd5f7cc682ae2bf1ae47f1f0dbb634b5.jpg"
	}
}