Abstract — This article aims to assist defenders in identifying, verifying, and mitigating brute-forcing activities conducted by cybercriminals.
The primary targets of these attacks include commercial VPN providers such as Citrix, Fortinet, Pulse Secure, Palo Alto, and Cisco, as well as services like Microsoft Outlook Web App and RDWeb. Upon successfully bypassing authentication, cybercriminals gain initial access to accounts that lack second-step authentication, thereby posing a security risk.
This article is primarily divided into three categories, with a focus on:
- What is being offered?
- How to conduct assessments as a Red Team researcher?
- How to mitigate risks as a SOC Defender or Risk Management team, including a corrective action plan?
Recently while browsing through Russian language cyber crime forum this particular advertisement caught by eye that offered Multi Network Checker that would enable threat actors to conduct and exploit “Account Checking” and “Bruteforcing” on commercial VPN endpoints.
The advertisement at cyber criminals forum offered:
Original post
— -
Multi Network Checker — Corporate VPN Services Checker and Bruter
Work on networks, leave validation strings to the checker!
The software checks for validity:
RDWeb {/rdweb/}
Citrix VPN {/LogonPoint/ and others}
FortiNet VPN {remote/login}
Pulse Secure {/dana-na/}
Paloalto VPN {/global-protect/}
Cisco VPN { /+cscoe+/ }
OWA { /owa/ }
The software supports proxy and multithreading [ up to 1000 threads].
Accepts strings like [url;login;pass].
Rates
1 Month (30 days) — $300
3 Months (90 days) — $600
Lifetime — $1500
To purchase contact PM forum, TOX, Jabber
— -
What is being offered?
Based on analysis of the post, the main offering includes a brute-forcing software provided on subscription basis model with price ranging from 1month — $300 USD, 3 months — $600 USD and Lifetime — $1500 USD. The features list include proxy support and multi-threading upto 1000 threads.
The malicious bruteforcing software targets and checks validity of supplied credentials on:
- Microsoft RDWeb {/rdweb/}
- Citrix VPN {/LogonPoint/ and others}
- FortiNet VPN {remote/login}
- Pulse Secure {/dana-na/}
- Paloalto VPN {/global-protect/}
- Cisco VPN { /+cscoe+/ }
- Microsoft Outlook Web App { /owa/ }
The software accepts input field as follows:
- URL to the targeted endpoint
- Username
- Password
Additionally, it offers automated collection and parsing of data from Shodan using API keys.
How to conduct assessment as a Red team researcher?
As a red team analyst/researcher emulating threat adversaries methodologies and TTPs in your environment helps in identifying loop holes and on top of immense attacks directed towards your organizations.
To start with the assessment activity we need to supplement ourselves with all the necessary resources and tools.
To conduct this activity we shall use open source Python-based tools named Vortex — The tools helps in reconnaissance, testing and exploitation of VPN endpoints. We shall use feature to search various websites to identify employees and password spraying or bruteforcing feature to gauge exploitability.
Additionally, there are open source tools that would enable in conducting successful attacks includes:
- Microsoft RDWEB endpoint using Metasploit HTTP Scanner for RD Web login
- Microsoft OWA endpoint using Metasploit HTTP Scanner for OWA Login
To gather commonly used passwords there are multiple resources over Github.
How to mitigate as a SOC Defender / Risk management team with corrective action plan?
Searching for the documentations on the official website of service providers following links were gathered:
- Microsoft RD Web brute-force prevention
- Citrix Netscaler brute-force prevention
- Fortinet Bruteforce prevention
- Pulse Secure Virtual Web app firewall
- Palo Alto Global Protect Prevention
- Cisco VPN Bruteforce protection
I hope this article helps read team and defenders equally in validating and keeping their organization safe in proactive manner. The cybercrime landscape is every evolving and Cyber Threat Intelligence helps in gaining vital insights to remain ahead of the curve and not getting breached.
Until next time.
