The incident is classified as HIGH severity due to the significant number of bad password attempts and user lockouts, including admin accounts. The real-world exploitability is high given that the attack went unnoticed for 48 hours.
A password spray attack went undetected by Arctic Wolf's MDR service, affecting an SSL VPN authentication portal that relayed authentication to a DC via LDAP. Over 3600 bad password attempts and over 300 lockouts were observed for 16 users, including admins.
Affected Systems
- SSL VPN authentication portal
- LDAP relayed from DC
Remediation
- Enable and configure multi-factor authentication (MFA) on the SSL VPN portal to mitigate future password spray attacks.
- Review and adjust threshold settings for failed login attempts in the MDR service to ensure timely alerts are generated.
- Implement account lockout policies with a reasonable threshold of failed login attempts.
Stack Impact
None specified directly, impact is on SSL VPN authentication portal and LDAP relayed from DC.