Global SSL VPN Brute-Force Activity and AuthPoint Service Disruptions
WatchGuard has detected global SSL VPN brute-force activities causing excessive volume of unknown user authentication attempts to the AuthPoint authentication service. The service disruptions during the month of October 2024 resulted in service degradation and led to some customers and partners experiencing failed, timed-out, or intermittent authentication sessions. The brute-force activities are not directly targeting AuthPoint and have not resulted in a breach of WatchGuard services.
The threat actor(s) appear to be using random or common credentials and passwords, which suggests that it is not a targeted campaign, but rather the lowest form of credential and password harvesting. These techniques seek to exploit customers using common, default usernames or passwords to gain entry.
All the unknown user/unauthorized authentication attempts go through on-premises systems such as RADIUS, SSL VPN and Firewalls to the AuthPoint authentication services across all regions (Americas, EMEA and APAC). Additionally, we are observing an increase in unknown user traffic from WatchGuard Fireboxes with direct integrations to AuthPoint services.
WatchGuard observed global SSL VPN credential and authentication brute-force activities earlier in the year as well, however the volume on 2024 October 20-22 significantly increased in scale. We previously released a Knowledge Base Article with information and best practices for dealing with brute-force disruptions, and it has been updated based on the latest activities.
Are there actions that partners and customers should implement to reduce service disruptions?
As mentioned above, the Knowledge Base Article provides best practices that Firebox administrators can implement to mitigate the unknown user and unauthorized authentication attempts from Fireboxes, including enabling Botnet Detection with our latest update. If your third-party systems support authentication traffic throttling or autoblocking of IP addresses after multiple failed authentication attempts, we recommend you enable it.
What are we doing to address the service disruption to AuthPoint?
WatchGuard has scaled-up additional instances and continues to monitor AuthPoint infrastructure services to mitigate service disruption. Specifically, on-call teams are continuously monitoring production services across all regions, improving our self-healing and recovery tooling, and enabled RADIUS-based authentication throttling across all regions.
WatchGuard also released an updated threat intelligence package to our Firebox Botnet Detection service that has begun to block known source IP addresses. If you manage a Firebox and have the SSL/VPN portal exposed to the Internet, we strongly recommend that you enable Botnet Detection and obtain the updated package.
What are we doing in support to address the service disruptions?
WatchGuard Support has also been diligently responding to customer cases as spikes in volume have increased in the past 48-72 hours. Support personnel are actively assisting customers and partners with excessive volume of unknown users and authentication requests from one or more of their on-premises services.
Customers with Fireboxes and/or third-party systems should enable Botnet Detection, disable SSL VPN portal from external access, enable geolocation restrictions and set connection rate limits as outlined in this Knowledge Base Article, which will be updated as more guidance becomes available.
When was this brute-force activity first discovered?
Throughout 2024, the industry has seen various SSL VPN and brute-force security advisories have been issued starting in February and again in April. However, this specific service disruption started temporarily on Sunday October 20th, but then restarted on Monday, October 21st.
What’s Next?
WatchGuard continues to monitor the brute-force activities and the impact on our services, and we will continue to update our Status page with new relevant information.
