SVR actors used password spraying to identify weak passwords of an administrative account in 2018. They used low and slow password spraying to attempt small numbers of passwords at infrequent intervals. These requests came from a large number of IP addresses located in the same country as the victim. They then used this account to modify permissions from email accounts on the network, and compromised non-administrative accounts. They used user agent strings to appear to be older versions of mail clients. They also used a Leased VSP for the rest of their attacks after gaining access to the first account.
[[APT29 (Cozy Bear)]] – also use password spraying
[[MailSniper]] – can be used for password spraying
[[APT33]] – also used password spraying
Backlinks
IP Addresses
[[Password Cracking]]
[[Password Spraying]]
[[User Agent Strings]]
Virtual Private Server (VPS)