There are ongoing attacks against various VPN systems involving the use of dictionary based brute force attempts to login into VPN.
There have been numerous reports of threat actors attempting to breach VPN solutions using dictionary-based brute force attacks. These attackers systematically try different combinations of usernames and passwords to gain unauthorized access to networks through VPN. It is crucial to recognize that a successful unauthorized entry can result in further intrusions or attacks, such as data leaks and ransomware. It is important to treat any unauthorized access as a significant threat.
When you use our SurePassID Authentication Server (SPAS) and SAML/RADIUS/LDAP products in conjunction with your VPN solution to enable a second-factor authentication (SFA) method, you can detect these brute force attacks by examining the audit trail in the SPAS portal. The audit trail will show multiple attempts to look up users that likely don't exist, which is a way to validate the presented credentials. Additionally, you may notice that valid accounts are being locked out in your main directory (such as Active Directory) or the SPAS system due to failed One Time Password (OTP) validations. These failures occur when the threat actor doesn't provide the correct SFA OTP values for an account.
Since the request to our SPAS comes through another component at the VPN system's request, the audit trail in SPAS will indicate that the request originates from the VPN system. The VPN system itself may have the capability to report on the requests for VPN access, providing more detailed information about the IP addresses of the threat actors. This IP information can then be used to block any unauthorized access attempts.
If you detect any of these attempts, it is vital to decide how you want to prevent access to the VPN system. Options include implementing GeoIP blocking to restrict access from specific countries' entire IP blocks or using a basic blocklist where you can add suspicious IPs to deny them access to the VPN terminus.
For customers who use a Security Information and Event Management (SIEM) system to collect and analyze logs from various systems, our SIEM component can also capture the audit trail information from SPAS. This integration allows for quick identification of any attacks. We highly recommend this approach for most customers, as the SPAS audit trail contains valuable details.