Full Report
Travelers found that ransomware groups are focusing on targeting weak credentials on VPN and gateway accounts for initial access, marking a shift from 2023
Analysis Summary
# Tool/Technique: Brute-Forcing Weak Credentials on VPNs and Gateways
## Overview
This describes a strategic shift by ransomware groups and Initial Access Brokers (IABs) away from highly visible, zero-day vulnerability exploitation towards more "reliable and repeatable" initial access methods, primarily targeting unauthenticated or weakly secured VPN and gateway accounts using credential stuffing or brute-force attacks.
## Technical Details
- Type: Technique/Procedure
- Platform: VPNs, Gateway Accounts (likely Windows, Linux infrastructure behind the gateways)
- Capabilities: Gaining initial access through automated testing of common usernames and password combinations against login portals.
- First Seen: Activity noted taking hold in the second half of 2023 and spreading widely throughout 2024.
## MITRE ATT&CK Mapping
- [T1110 - Brute Force]
- [T1110.001 - Password Guessing]
- [T1078 - Valid Accounts]
- [T1078.003 - Local Accounts] (If targeting local accounts on the gateway)
- [T1078.004 - Cloud Accounts] (If targeting cloud-managed gateways/VPNs)
## Functionality
### Core Capabilities
- Proactively hunting for targets.
- Deploying tools to search for default or common usernames (e.g., "admin," "test").
- Attempting known common password combinations against gateway/VPN login interfaces.
### Advanced Features
- Focuses on exploiting the *lack* of security controls (specifically Multi-Factor Authentication - MFA) rather than exploiting software flaws (vulnerabilities).
- Leverages leaked IAB training material emphasizing reliable access methods over zero-day discovery.
## Indicators of Compromise
- File Hashes: [N/A - Relates to tooling used for scanning/brute-forcing, not specific malware samples provided]
- File Names: [N/A]
- Registry Keys: [N/A]
- Network Indicators: [Increased volume of failed login attempts against external-facing services like VPN endpoints (e.g., SSL VPN, RDP gateways)]
- Behavioral Indicators: High rate of login errors from single or small clusters of IP addresses targeting administrative service portals.
## Associated Threat Actors
- Ransomware Groups (General trend)
- Initial Access Brokers (IABs)
## Detection Methods
- Signature-based detection: [N/A - Primarily behavioral detection required]
- Behavioral detection: Monitoring high volumes of failed authentication attempts across perimeter services (VPN concentrators, remote access platforms).
- YARA rules if available: [N/A]
## Mitigation Strategies
- Prevention measures: **Mandatory implementation of Multi-Factor Authentication (MFA)** on all VPN and gateway accounts, especially those that are publicly accessible.
- Hardening recommendations: Disable or rename default accounts (e.g., *admin, test*). Enforce strong password policies. Implement IP whitelisting limits for administrative ports if possible.
## Related Tools/Techniques
- Credential Stuffing tools (implied use of custom or automated tools mentioned in the playbook).
- Related historical exploits mentioned as superseded: Exploitation of MOVEit and GoAnywhere vulnerabilities.
- Associated ransomware families noted experiencing an increase in activity: RansomHub, Akira, Play.