Arctic Wolf has recently observed an uptick in detected password spraying for multiple Firewall and VPN appliances. This activity began on February 28, 2024. A variety of products are affected by this activity, including but not limited to devices from vendors such as Cisco, Palo Alto Networks, and WatchGuard. Further investigation revealed that authentication against web-based applications in general was being targeted as opposed to a selection of firewall vendors.
Public coverage of this campaign has been limited so far, but WatchGuard has published details about activity similar to what Arctic Wolf observed, along with several examples of relevant logs. The observed password spraying activity was characterized by numerous attempts to authenticate using random (and often non-existent) usernames such as “test”. Arctic Wolf has not yet observed successful intrusions associated with this activity.
Due to the dynamic nature of this campaign, blocking individual IP ranges is not likely to provide long-term protection. Arctic Wolf strongly recommends reviewing the recommendations provided here for more resilient approaches than blocking IP ranges piecemeal.
Recommendations
Use Multi-Factor Authentication (MFA)
Arctic Wolf strongly recommends using multi-factor authentication (MFA) a part of a defensive strategy to secure systems that allow for authentication over the public internet, such as VPNs and other web-based applications.
To configure MFA in your environment, Please review the vendor-provided documentation for your VPN appliance, firewall, or other web-based application.
Block Authentication Attempts from Hosting-Based Traffic
Threat actors often obtain access to virtual private server (VPS) hosting to perform malicious activities such as command and control (C2) hosting, mass vulnerability scanning, as well as the password spraying activities observed in the current campaign.
If your organization does not require authentication from hosting providers on your VPN appliances, firewalls, or other web-based applications, then consider using a service to classify and block login attempts from such locations altogether.
This type of coverage reduces the likelihood of intrusion in this or other future campaigns of a similar nature.
Set Automated Blocking on Authentication Attempts To Hinder Password Spraying Activities
To stop credential-based attacks as early as possible, Arctic Wolf strongly recommends setting connection blocking for mass authentication attempts against your firewalls, VPNs, or other public web-based applications. The terminology used to describe this functionality will vary depending on the vendor of the device or application being configured.
As an example, Cisco IOS provides “login block” functionality, which supports adding a delay between login attempts after a certain number of failed logins and ultimately blocking login attempts altogether in large-scale automated campaigns: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cfg/configuration/15-sy/sec-usr-cfg-15-sy-book/sec-login-enhance.html
Configure Syslog to Forward Your Organization’s VPN and Firewall Logs to Arctic Wolf
If you are not already monitoring your Firewalls and VPN appliances with Arctic Wolf Managed Detection and Response, please review our documentation page with vendor-specific instructions.
Implement Geolocation-based Blocking
Geolocation allows for you to block VPN connections from specific, untrusted countries. This can significantly reduce the risk of scans and attacks from unauthorized locations.
Please note, however, that this approach is not exhaustive, since threat actors are still able to obtain access to hosting locations that operate out of countries that are not blocked.
References
See other important security bulletins from Arctic Wolf.
