VPNs may become victim to password spraying attacks, Cisco alerts
Stop using weak passwords for your VPN
3 min. read
Published on
Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more
Cisco’s cybersecurity researchers warned about a surge in password spraying attacks targeting Virtual Private Network (RAVPN) services, including its in-house products and some third-party ones. Hackers use this technique to gain unauthorized access to many accounts or systems.
How does a password spraying attack work?
These types of attacks are considered low-risk and high-profit and, therefore, attract considerable attention. As password spraying can remove account lockout mechanisms, cyber criminals usually use it to access networks and steal personal information.
When attackers perform password spraying attacks, they make numerous login attempts with a small number of commonly used passwords across several accounts.
It helps the hackers avoid detection by evading multiple failed login attempts on a single account, which could trigger security alerts.
If the targeted device has security measures like account lockout policies that lock user accounts after several failed login attempts, these attacks can lock your accounts.
As the hackers make fewer attempts per account, it is more challenging for security systems to identify and block the attack.
When multiple accounts are locked out due to this technique, it can overwhelm system resources, disrupting legitimate users’ access to their devices.
This can result in denial-of-service (DoS)- like conditions, wherein the system becomes inaccessible because of request overload.
These attacks also serve as a reconnaissance effort for attackers, as they will identify which accounts have weak passwords or are more susceptible to this type of attack, gain insights into the security system, and exploit it in some other way.
These attacks are not directly a threat but can serve as a precursor to more sophisticated cyberattacks. It is usually used against services or systems that don’t have strong password policies or 2FA in place, making them vulnerable.
How do they affect VPN services?
VPNs provide remote access to internal networks, making them a lucrative target for attackers seeking unauthorized entry into corporate networks.
The attacks can be used for further exploitation upon successful compromise of VPN accounts. The reason for these aggravated attacks is the prevalence of reused or weak passwords in VPN services.
The cybersecurity analysts at Cisco have issued several recommendations to eliminate the risk of password spraying attacks targeting VPN services:
- Make sure comprehensive logging is enabled so that suspicious activities can be detected and investigated.
- Use robust security measures to secure default remote access VPN profiles from exploitation.
- Implement TCP shunning mechanisms to obstruct malicious IP addresses in password spraying attacks.
- Employ Access Control Lists (ACLs) to control traffic and block unauthorized access to VPN services.
- Implement certificate-based authentication to improve authentication security for Remote Access VPN services.
In addition to these, Cisoc also mentioned numerous Indicators of Compromise (IoCs):
- Unable to establish VPN connections with Cisco Secure Client (AnyConnect) when Firewall Posture (HostScan) is enabled
Users attempting VPN connections with Cisco Secure Client encounter an error about Cisco Secure Desktop not being installed and this prevents the successful connections. This symptom seems a side effect of the DoS-like attacks but further investigation still continues.
- Unusual Amount of Authentication Requests
The Cisco ASA or FTD VPN headends exhibit the symptoms of password spraying, with millions of rejected authentication attempts visible in the “syslogs.”
Cybersecurity researchers are investigating these attacks, but all organizations must be active in strengthening their VPN infrastructures against evolving threats.
They must adopt security practices and stay vigilant for signs of compromise so that they can eliminate the risk posed by these attacks.
What are your thoughts on the matter? Share your opinions with our readers in the comments section below.
User forum
0 messages