We want to make you aware of a current ongoing attack against remote VPN connections for firewalls.
Details can be found on the Cisco Talos threat intelligence website at https://blog.talosintelligence.com/large-scale-brute-force-activity-targeting-vpns-ssh-services-with-commonly-used-login-credentials/.
Our SIEM log aggregation has recorded more than 2x the normal failed VPN login attempts in the past few days and can confirm this is an active attack campaign. The AME Group’s Security Team is actively monitoring our Managed Security Services clients for Indicators of Compromise to provide early warning and response to contain any potential compromise.
Managed Internet Security Service (MISS) and Managed Security Service (MSS) are two services provided by The AME Group that address all recommendations to protect against this type of cyber-attack. You may be at increased risk if you are not subscribed to these services. Please contact your AME representative for more information regarding actions that can be taken now to safeguard your environment.
Potential Risks include unauthorized access to network resources, account compromise, escalating privileges of valid user accounts, data harvesting, service interruption, data exfiltration, malware, and of course ransomware.
These recommendations can protect against VPN attacks
Enforce MFA authentication on all Remote VPN connections.
Ensure firewall events are logged and monitored to detect attacker activity.
Block remote VPN connections from countries other than the US or known locations of users.
Enforce user account lockout after two failed attempts within 1 minute.
VPN and Firewall services affected by these attacks include:
- Cisco Secure Firewall VPN
- Checkpoint VPN
- Fortinet VPN
- SonicWall VPN
- RD Web Services
- Miktrotik
- Draytek
- Ubiquiti