Morto A, Brute-Force and the Perpetual Problem of Insecure Privileged Accounts


by Roy Adar

Consider these keyboard combinations: *1234, 123, 369, abc123, abcd1234, admin, admin123, letmein, pass, password, test and user.

Not exactly what you’d call strong administrative passwords, but they are some of the combinations the Morto A worm carries in its brute-force library to attack target machines. According to an article in NetworkWorld, the Morto A worm continues to spread “despite its reliance on a list of lame passwords to take over victim machines.” Those machines, and all the information on them, are now vulnerable and at the mercy of the virus to delete, corrupt or quietly steal.

We believe that with a few tweaks, this simple brute-force approach can quickly resurface in more targeted attacks. Of course the most obvious response to better protecting organizations against this sort of attack is to limit reliance on “human selected passwords,” particularly related to passwords for privileged accounts. Ideally, fully random, long passwords can take years to brute-force or may never be cracked. And, when you consider an organization with thousands of sensitive servers, applications and systems, and hundreds of privileged accounts, automating the generation and management of strong passwords becomes all that more important to making the organization resistant to brute-force attacks.

This attack reminds me of the SQLsnake worm (aka SQLspida) that in 2001-2002 “brute-forced” its way into SQL Servers that had a blank “sa” password (the previous default password). It was extremely successful in spreading across tens of thousands of SQL Server databases where the default privileged password for “sa” was never changed from manufacturer defaults. While the SQLsnake only tried a single password, the Morto A tries 37 password values. How long before we see viruses that take this to the next level by using internal random generators to try larger scale brute-force attacks? It may not be long given that the virus does not need to contain a hard-to-disguise dictionary and can leverage the local Microsoft Word dictionary files, for example.

So, improving privileged password management isn’t just a good idea and a security best practice, it’s a business necessity. Consider the number of cyber attacks in the past year that used a common pathway for entering an organization, via privileged accounts. While the initial infiltration can use common and rather hard to prevent techniques such as phishing or social engineering, once inside, hackers can fairly easily take advantage of the lack of proper privilege controls. If hackers can easily brute-force your privileged passwords there is nothing to stop them from jumping from desktop, to applications, to your network core.

It’s been said before, but we subscribe to the notion that organizations need to assume that hackers have already breached the perimeter. Therefore a proactive approach to implementing internal controls and protecting privileged accounts is a critical building block in your defense strategy.

What are your organization’s best practices for privileged password management?

Leave a Reply

Your email address will not be published. Required fields are marked *

You must be logged in to post a comment.