'Brute force' attacks against SMBs on the rise

Attackers try a small set of passwords against a large number of user names

The number of "brute force" attacks on small and mid-sized companies has risen dramatically in the past few months, according to Houston-based Alert Logic, an on-demand IT network security company that focuses on small and medium-sized businesses (SMBs).

Brute force attacks are those in which an attacker uses various ways to break into a company's private network, trying various methods until a break-in occurs, says Chris Smith, vice president of marketing for Alert Logic.

Alert Logic has seen more than a 1,000% increase over the past three months in brute force attacks, the company says. Considerably more dangerous than random email-borne viruses, the increase indicates that criminals are specifically taking advantage of lesser security measures used by most SMBs, the company says.

"Prior to this, what we noticed out there being directed at mid-sized companies was the more broad-based sweeps or scans, which means that there were certain well-known vulnerabilities that were being targeted, but they were being broadly targeted," Smith says. "That means that the bad guys were broadly sweeping a bunch of companies ... for these general vulnerabilities and when they found those vulnerabilities they would find a way in."

Now, however, hackers are targeting their attacks at specific services like File Transfer Protocol (FTP) and are employing the brute force password cracking technique, says Smith.

"So they'll keep pounding on a particular target, trying to get through," he says. "It's more targeted, more concerted, more persistent. Part of the reason we think we're seeing this is that companies have [become] better [at] adopting patch managing technology and other technologies that keep those these vulnerabilities that used to be targeted ... relatively covered."

Johannes Ullrich, an analyst at The SANS Institute in Washington, agrees that brute force attacks have been on the rise for a while, but he didn't see numbers as high as Alert Logic.

"Brute force attacks are amazingly successful and simple," he says. "They do not require any particular exploit, but just a script to automatically guess the right password. Over the last couple years, we see less of the classic brute force attacks where an attacker is guessing many passwords for a particular account. Instead, attackers try a small set of passwords — even if they use a 100 or so — against a large number of user names. This bypasses some of the lock-out policies companies put in place to prevent brute forcing.

"Targets of brute force attacks are SSH (Secure Shell), FTP and Windows networking among other services," he says.