Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Brute-Force Attacks. Show all posts

Fortinet VPN Logging Flaw Exposes Vulnerability to Undetected Credential Verification

 

A flaw in the logging mechanism of Fortinet VPN servers could allow attackers to hide successful credential verifications during brute-force attacks, potentially leaving defenders unaware of compromised logins.

While brute-force activity remains visible, a new technique limits logs to failed attempts, creating a false sense of security for system administrators.

FortiClient VPN logs login attempts through two steps: authentication and authorization. Researchers from Pentera, a cybersecurity company specializing in automated security validation, found that successful logins are recorded only if both steps are completed. Otherwise, the VPN logs the event as a failed authentication.

“[…] the failed ones are logged in the authentication phase but the successful ones are logged in the authorization phase, so yes, a full login with either a script or a VPN client would create a log,” explained Pentera researcher Peter Viernik to BleepingComputer.

The researchers devised a method to halt the process after the authentication phase, validating credentials without generating a log of the successful attempt. Using the Burp application security tool, they observed that the server response indicates valid credentials through specific values (“ret=1” for valid and “ret=0” for failed), while subsequent steps establish VPN sessions.

Stopping the process before authorization prevents successful logins from being recorded. Pentera notes this gap creates a security risk:

"The inability to log successful authentication attempts at the authentication phase presents a significant security risk. Attackers could potentially exploit this vulnerability to conduct brute-force attacks without detection of their successful attempts."

While admins might detect ongoing brute-force attempts, they would not know if any credentials were successfully verified. This could lead to attackers selling valid credentials or using them for future breaches when vigilance has waned.

Despite this issue, attackers must still bypass authorization, which includes API calls verifying device security compliance and user access levels. Though this complicates exploitation, Pentera warns that well-resourced adversaries could still succeed.

Pentera disclosed their findings to Fortinet, which reportedly did not consider the issue a vulnerability. It remains unclear if Fortinet plans to address the problem, though Pentera suggests the fix would not be complex.

As part of their disclosure, Pentera released a script demonstrating the flaw’s exploitation. BleepingComputer reached out to Fortinet for comment but did not receive a response by the time of publication.

Windows 11: Account Lockout Policy Set Against Brute Force Attacks

Brute force exploits are injected into ransomware and other sorts of unauthorized access since they typically rely on automated methods to test a massive amount of passwords for one or more user accounts. 

Beginning with Insider Preview version 22528.1000, Windows 11 automatically mitigates such exploits by capping the number of unsuccessful sign-in attempts at 10, for a period of 10 minutes.

"In order to reduce RDP and other brute force password vectors, DEFAULT account lockout policy is now enabled in Win11 builds. The command will make brute forcing more tricky, which is decent. This technique is frequently used in Human Operated Ransomware and other attacks," stated David Weston, vice president of OS and enterprise security at Microsoft.

Setting Lockout Policy

By establishing a threshold of between 1 and 999 failed sign-in attempts that would cause a user account to be locked, IT security professionals already had the option of preventing brute force attacks using the account lockout policy.

The Account lockout threshold policy enables configuring the maximum number of unsuccessful sign-in attempts before a user account is locked. Once locked, an account cannot be used again until the administrator unlocks it or until the time period provided by the Account lockout duration policy setting has passed. 

It suggested restricting the account lockout time to no more than 15 minutes and setting the account lockout threshold to a high enough number to cater to users mistakenly mistyping their passwords.

However, the reset account lockout countdown will eventually run out, giving the user three more opportunities if they wait and try to log in again the following day, effectively making it appear as though there have been no failed logins.

The effectiveness of brute force attacks is considerably reduced by restricting the amount of password entry tries, but Microsoft warns that threat actors could abuse this security feature to perform denial-of-service (DoS) attacks by locking multiple user accounts in an enterprise.


Microsoft Adds Default Account Lockout Policy in Windows 11 to Block RDP Brute-Force Attacks

 

In the latest Windows 11 builds, Microsoft introduced default Account Lockout Policy which will automatically lock user accounts after 10 consecutive failed login attempts for 10 minutes. 

The account brute forcing process involves inputting a massive number of passwords consecutively using automated tools. The new policy blocks such attacks and can be found in Windows 11 Insider Preview Build 22528.1000 and newer. 

"Win11 builds now have a DEFAULT account lockout policy to mitigate RDP and other brute force password vectors," David Weston, Microsoft's VP for Enterprise and OS Security, stated. "This technique is commonly used in Human Operated Ransomware and other attacks - this control will make brute forcing much harder which is awesome!" 

Brute forcing credentials is a common methodology employed by hackers to infiltrate Windows systems via Remote Desktop Protocol (RDP) when they don't know the account passwords. The use of Remote Desktop Services is so popular among hackers that the FBI said RDP is responsible for nearly 70-80% of all network breaches leading to ransomware assaults. 

The tech giant is gradually blocking all entry vectors employed by ransomware attackers to infiltrate Windows networks and systems. Earlier this year, Microsoft made some security-focused changes including auto-blocking Office macros in downloaded documents and enabling multi-factor authentication (MFA) in Azure AD. The change was temporarily rolled back earlier this month, but it’s back now. 

“We’re resuming the rollout of this change in Current Channel. Based on our review of customer feedback, we’ve made updates to both our end user and our IT admin documentation to make clearer what options you have for different scenarios. For example, what to do if you have files on SharePoint or files on a network share,” Kellie Eickmeyer, Principal Program Manager at Microsoft, announced on Wednesday. 

Windows 10 systems also come with an Account Lockout Policy but are not enabled by default, allowing hackers to brute force their way into Windows systems with exploited Remote Desktop Protocol (RDP) services. Admins can enable this policy on Windows 10 in the Group Policy Management Console from Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policy. 

This is a major step taken to enhance security since many RDP servers, particularly those used to assist teleworkers access corporate assets, are directly exposed to the Internet, exposing the businesses' network to attacks when poorly configured.

Beware of Ongoing Brute-Force Attacks Against NAS Devices, QNAP Warns

 

Taiwanese firm, QNAP has warned its clients of ongoing attacks targeting QNAP NAS (network-attached storage) devices and urged to strengthen their devices’ security by changing their passwords and default access port number, and disabling the admin account.

The company warned its customers by stating, “recently QNAP has received multiple user reports of hackers attempting to log into QNAP devices using brute-force attacks – where hackers would try every possible password combination of a QNAP device user account. If a simple, weak, or predictable password is used (such as ‘password’ or ‘12345’) hackers can easily gain access to the device, breaching security, privacy, and confidentiality. ”

If threat actor manages to guess the right password then they are able to secure full access of the targeted device, allowing them to exfiltrate confidential documents or install malware. If the hackers are unable to brute-force their way in, the NAS devices’ system logs will mark the attempts and log them with ‘Failed to login’ warning texts.

To protect their devices from ongoing attacks, customers have to enhance NAS security by changing the default access port number, implementing password rotation policies, and disabling the default admin account. Additionally, since the attack is only viable on Internet-facing NAS devices, QNAP recommends customers don’t display their devices on public networks.

Firstly, customers have to create a new system administrator account before disabling the admin account. If the administrator account on QNAP NAS devices is running on QTS 4.1.2 then the following steps will disable the default admin account:

• Go to Control Panel > Users and edit the ‘admin’ account profile.
 
• Tick the ‘Disable this account’ option and select ‘OK’.

Additionally, customers can also configure the NAS device to automatically block IP addresses behind several numbers of troubled login attempts. QNAP has also published a checklist to secure their customers’ device and protect their data:

• Remove unknown or suspicious accounts from the device 

• Download QNAP MalwareRemover application through the App Center functionality 

• Change all passwords for all accounts on the device
 
• Set an access control list for the device (Control Panel > Security > Security level)