grashayl living ambrosyn
Yvone Samiento
I have an issue with a single/multiple threat actors attempting to brute force or clientless vpn portal. They are switching IP's with each attempt and they occur 3-7 time per hour. They use the most ridiculous dictionaries for user names but regardless, they change periodically and I would like to put a stop to it but am finding it quite difficult.
Anyone have any advice for blocking these attempts? I've read so very much on this but cannot seem to find a solution for my particular situation. Any help or suggestions would be greatly appreciated.
How doe the Palo Alto see the traffic? Anything in the Threat logs? If you see something there, you can put policies in place to prevent this. A Zone Protection applied both internal and external (separate policies) might help. However if there is something in the traffic that can be recognized a custom AntiVirus or Vulnerability protection profile could help. Another way would be to send the logs to a SIEM and somehow block the IP's that are attempting to perform this.
Another thing might be to limit what IP's can access your portal, eg only traffic from the US, however if they are coming from the US this doesnt work. But also drop traffic that match the builtin EDL's and not from friendly nations:
I am going through the threat logs now to see if there may be anything of interest. Also, creating a custom AntiVirus and Vulnerability protection profile may be the way to go. Let me dig into this over the day and I'll be back with some info which may be helpful.
Sadly, the rate at which the IP's are changing may prove to be difficult to deal with and this is one of the reasons I decided to create this thread. Again, however, let me dig into this and see what I can discover.
This one might be a tough one to track down. However setting up the EDL blocks as well as Zone Protection profiles might help. Also might help to send telemetry back to Palo Alto, if they see something they can write something to help block it for everyone.
Also, nothing coming up in the threat logs regarding the attempts but I have adopted the tedious task of filtering out the IP's the threat actor is using more than once or twice and adding them to our Explicit IP Drop Policy. I have done this in the past but it seemed hopeless.
This time, however, the attempts at brute forcing our clientless vpn portal have ceased as of 9/16. I'm hoping I covered most of the actors IP pool but I'm continuing to monitor the situation. I just updated our firewalls and may need to make some changes to send out telemetry data but that's a great suggestion which I will follow through with.
@OtakarKlier we have an explicit drop policy and so far we can only block RU. If I had my way about it we would also block the region of China among others. Most of our malicious traffic seemingly originates in Russian for reasons without explanation. Of course, Russia, Iran, and China are our top threats from state sponsored APTs but no traffic from Iran as of yet.
@TomYoung Thanks for the input!!! That could actually be an option... Disabling the outward facing vpn portal... If the number of individuals who use clentless vpn access is minimal then that may be enough for me to work with to gain approval for blocking it. Ideally, having both would be optimal but it it could prevent initial access from a Threat Actor or APT then I am a supporter!!
So far, no futher brute force attempts on the clientless VPN portal but I am monitoring the situation. And will provide updates, there's always someone knocking on our firewall's door. Lol!
Agreed!!! Each of those points make perfect sense and I only wish we had that ability...
And fun fact: The threat actor(s) have started up again... Same ip hopping per login attempt and still only using 5-7 user names. Recon is one thing, but at this point, the threat actor likely knows what hardware we are using and seems to be making no further attempts to improve his odds at actually running a successful brute forcing campaign. It doesn't make one bit of sense at this point...
The biggest issue I've discovered when it comes to this/these types of threat actors which are using simplistic "brute forcing" methods. Almost on a "script kiddie" level taking me back to the days. of "NetBrute" if you will, but I digress
The thing is, PAN-OS allows for you to block authentication attempts via user name but ONLY when using LDAP. You cannot simply add a user name to an explicit ip drop (or other policy) that does not exist within your AD environment. Of course, you COULD create that user within your OU but noone wishes to create users accounts in AD such as sslvpn, admin, root, or testuser simply for the purposes of having the ability to block access attempts from individuals using these usernames.
Not to mention the additional security issues that are accompanied by doing such. But let us just say that if I could drop ip's explicitly and block them based on the user name that was used in the portal then problem solved!!! Why has Palo Alto refrained from incorporating such a feature??
I have the same problem as David but I already have the portal/gateway only allowing US and the portal/clientless vpn functionality is disabled. Each attempt has a different IP and different username and they come in at the rate of 1 attempt/minute. Sometimes it lasts for an hour or sometimes many hours and I get hundreds of "authentication failed" emails. We're using SSO with 2FA but the attempts continue to happen. What I discovered recently is that in the monitor logs of global protect is the "version" column and all of these attempts say "browser" which makes me believe that it's trying to use the clientless vpn even though the portal logon page is disabled and clientless vpn is not enabled-how can that be the case??? I have a whole slew of EDL block lists and they fly right by that and the only unique thing about all of them is the host name of "mypc". From what I can tell the HIP info isn't collected until after a successful login I cannot do anything with it....
@stevemg7
Sorry to hear that you are having the same issue... I know just how frustrating it can be, even more interesting is that the clientless vpn portal has been disabled but the traffic continues. One thing I have done in order to minimize there attempts is to modify your authentication profile. If the actor(s) are making an attempt every second then you could setup your criteria to block a user name after "x" failed attempts for "yy" minutes. I believe we chose 7 login attempts before the user is blocked for YY minutes. May drop it to 6... If a user ends up blocked you can easily unblock them with a single click.
Now, since your clientless vpn portal has been deactivated I'm unsure how this would work. If the brute force attempts are still occurring and you're seeing failed authentication via your RADIUS server in your GP/System logs you may still be able to leverage this method to aid in this uphill battle.
Let me know if you are able to completely stop these attempts, I would LOVE to know how you did it. Lol!
Best,
DB
I am seeing the exactly the same thing. Though the attacks in my case are directed explicity at my gateways. I could look at region blocking with policies but the attacks are distributed globally. They are low and slow even with the KB mentioned here, in order to be effective would more likely impact users than deter this.
I'm looking for a way to define a custom signature that can detect brute force attempts on the GlobalProtect portal that aren't based on the portal login page. I already have ID 40017 - VPN: Palo Alto Networks SSL VPN Authentication Brute Force Attempt - in place and working fine, however I realized that I'm seeing attacks now where someone has managed to replicate the auth sequence from the GP app itself. I've attempted using the following, but am not having any luck with it detecting my failed attempts:
You can try selecting transaction not session or as another workaround you can try placing the globalprotect gateway on the loopback interface =kA10g000000ClKPCA0 / =kA10g000000ClJHCA0 as maybe then firewall will match the signature when passing through the reply from the dataplane interface.
The brute caricature portrays black men as innately savage, animalistic, destructive, and criminal -- deserving punishment, maybe death. This brute is a fiend, a sociopath, an anti-social menace. Black brutes are depicted as hideous, terrifying predators who target helpless victims, especially white women. Charles H. Smith (1893), writing in the 1890s, claimed, "A bad negro is the most horrible creature upon the earth, the most brutal and merciless"(p. 181). Clifton R. Breckinridge (1900), a contemporary of Smith's, said of the black race, "when it produces a brute, he is the worst and most insatiate brute that exists in human form" (p. 174).
When a knock is heard at the door [a White woman] shudders with nameless horror. The black brute is lurking in the dark, a monstrous beast, crazed with lust. His ferocity is almost demoniacal. A mad bull or tiger could scarcely be more brutal. A whole community is frenzied with horror, with the blind and furious rage for vengeance.(pp. 108-109)
During slavery the dominant caricatures of black people -- Mammy, Coon, Tom, and picaninny -- portrayed them as childlike, ignorant, docile, groveling, and generally harmless. These portrayals were pragmatic and instrumental. Proponents of slavery created and promoted images of black people that justified slavery and soothed white consciences. If slaves were childlike, for example, then a paternalistic institution where masters acted as quasi-parents to their slaves was humane, even morally right. More importantly, slaves were rarely depicted as brutes because that portrayal might have become a self-fulfilling prophecy.
During the Radical Reconstruction period (1867-1877), many white writers argued that without slavery -- which supposedly suppressed their animalistic tendencies -- black people were reverting to criminal savagery. The belief that the newly-emancipated black people were a "black peril" continued into the early 1900s. Writers like the novelist Thomas Nelson Page (1904) lamented that the slavery-era "good old darkies" had been replaced by the "new issue" (black people born after slavery) whom he described as "lazy, thriftless, intemperate, insolent, dishonest, and without the most rudimentary elements of morality" (pp. 80, 163). Page, who helped popularize the images of cheerful and devoted Mammies and Sambos in his early books, became one of the first writers to introduce a literary black brute. In 1898 he published Red Rock, a Reconstruction novel, with the heinous figure of Moses, a loathsome and sinister black politician. Moses tried to rape a white woman: "He gave a snarl of rage and sprang at her like a wild beast" (pp. 356-358). He was later lynched for "a terrible crime."
c01484d022