TID-314: Passwords Can Be Guessed Using Brute-Force Attempts

Threat Description

A threat actor could gain unauthorized access by continually guessing passwords. This could be because the device allows passwords with insufficient entropy, short password lengths, or does not have a mechanism to increase the time it takes to randomly guess passwords, such as password lockouts or cooldowns between guesses.

Threat Maturity and Evidence

Observed Adversarial Technique

• APT Cyber Tools Targeting ICS/SCADA Devices
  “Brute-force Schneider Electric PLC passwords using CODESYS and other available device protocols via UDP port 1740 against defaults or a dictionary word list (Note: this capability may work against other CODESYS-based devices depending on individual design and function, and this report will be updated as more information becomes available);”

CWE

• CWE-334: Small Space of Random Values
  “The number of possible random values is smaller than needed by the product, making it more susceptible to brute force attacks.”

• CWE-307: Improper Restriction of Excessive Authentication Attempts
  “The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks.”

CVE

• None referenced