I assume this was possible because of the vulnerability which was disclosed in August. I patched the system quickly, but still somebody was faster. MFA and password changes are put in place, but I just wanted to share the info. Don’t forget to do MFA!
Your users creds could have also been exposed through a breach. It might have nothing to do with the patched VPN issues.
I mean, how many users?
The assumption is:
someone either stole your VPN user list and knows the usernames to brute force
Someone hacked the systems of said employees and gathered their login usernames individually
Someone guessed the usernames based on standard syntax, John Doe = jdoe and cross referenced a user employee list with freely publicly available information
Im not saying it’s isn’t related to the vulnerability, because I don’t know which vulnerability your referring to but when you hear hoof steps, it’s probably a horse, and not a zebra.
I would find it much more probable that, as always, end users are dumb and can’t do their password right the first time.
Now, if you saw originated IP source addresses from a weird country, that’s a different detail to take into consideration.
If I don’t have the VPN enabled, I don’t have to worry about this, right?
Do you use radius with DUO for SSLVPN? If it’s just bare bones SSLVPN+ RDP with regular user accounts. Be aware.
This happened to us a few months ago, if you’re using the default port for the VPN, I’d recommend changing it to something different. Attackers are brute forcing combo lists with known IP’s and the default port of 4433. Thankfully we have DUO enabled but it was annoying because a ton of users were getting locked out. It stopped after changing the port.
There are some very specific usernames in the firewall which do not exists together in other systems.
I am talking about this one: https://www.sonicwall.com/support/knowledge-base/product-notice-improper-access-control-vulnerability-in-sonicos/240822062732757
SonicWall strongly advises that customers using GEN5 and GEN6 firewalls with SSLVPN users who have locally managed accounts immediately update their passwords to enhance security and prevent unauthorized access.
This recommendation makes me believe that it was possible to extract the user details and passwords.
I would find it much more probable that, as always, end users are dumb and can’t do their password right the first time.
Using a password manager here.
Now, if you saw originated IP source addresses from a weird country, that’s a different detail to take into consideration.
Some virtual machine from the Netherlands, but the all logins were tried from the same IP.
Sounds exactly like the vulnerability that was patched to me. Attackers could use the vuln to get user creds (usernames and passwords) from any unpatched systems.
As you say, change all passwords and configure MFA and you should be fine!
You were compromised a different way.
Yup, that IP address, VM, single IP is a red flag 100%.
You could always verify the IP here for known malicious activity:
You could even report the IP to appropriate persons if you want to take it that far.
I’ve def contacted data centers to report malicious activity coming from them as a source.
You mean different vuln on the firewall, or different system?
If you legit had impossible to guess names tried like [email protected] that list was gathered somewhere either public or a breach. LinkedIn for public example.