TID-314: Passwords Can Be Guessed Using Brute-Force Attempts
Threat Description
A threat actor could gain unauthorized access by continually guessing passwords. This could be because the device allows passwords with insufficient entropy, short password lengths, or does not have a mechanism to increase the time it takes to randomly guess passwords, such as password lockouts or cooldowns between guesses.
Threat Maturity and Evidence
Observed Adversary Behavior
APT Cyber Tools Targeting ICS/SCADA Devices
“Brute-force Schneider Electric PLC passwords using CODESYS and other available device protocols via UDP port 1740 against defaults or a dictionary word list (Note: this capability may work against other CODESYS-based devices depending on individual design and function, and this report will be updated as more information becomes available);”
CWE
CWE-334: Small Space of Random Values
“The number of possible random values is smaller than needed by the product, making it more susceptible to brute force attacks.”
CWE-307: Improper Restriction of Excessive Authentication Attempts
“The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks.”