The cybersecurity landscape is shifting quickly. In Episode 361 of The443 Podcast, Marc Laliberte and Corey Nachreiner discuss three emerging issues shaping modern security: 

• A critical authentication bypass in a popular JSON Web Token (JWT) library 
• An autonomous AI bot exploiting GitHub repositories at scale 
• A controversial age-verification law that could reshape online privacy 

While these topics span different areas of cybersecurity, they share a common theme: the intersection of automation, AI, and security controls is introducing both powerful defensive tools and new attack surfaces. 

Let’s break down the key lessons. 

A JWT Vulnerability Shows How Small Implementation Errors Become Critical Flaws 

The episode opens with a discussion about a recently discovered vulnerability in a Java JSON Web Token authentication library. 

For context, JSON Web Tokens (JWTs) are widely used in modern web applications for authentication. When a user logs into an application, the system creates a token containing information such as the user ID or privileges. The token is cryptographically signed so attackers cannot modify it without detection. 

In theory, this system is secure. In practice, the vulnerability demonstrates how fragile implementations can be. 

Researchers discovered that the library incorrectly handled a null return value during token validation. Instead of rejecting the request when a signed token could not be extracted, the code simply skipped the validation step entirely. 

That meant an attacker could: 

1. Create an unsigned token 
2. Encrypt it with the server’s public key 
3. Send it to the application 
4. Receive full authenticated access 

Because the token validation step never ran, the server accepted the unverified token and created a valid session. 

The flaw received a CVSS 10.0 score, highlighting how devastating small implementation mistakes can be in authentication systems. 

The good news is that the maintainers patched the issue within two business days. But the bigger story lies in how the vulnerability was discovered. 

AI-Assisted Vulnerability Discovery Is Becoming the New Normal 

The researchers who uncovered the JWT flaw did not find it through traditional manual auditing. 

Instead, the vulnerability was flagged by an AI-powered code analysis tool designed to identify risky patterns in software. 

This highlights an accelerating shift in cybersecurity. 

AI is now being used to: 

• Analyze massive codebases for security flaws 
• Detect insecure patterns in authentication logic 
• Automate vulnerability discovery 

For defenders, this is a powerful new capability. 

For attackers, it is equally powerful. 

As Corey points out in the episode, the barrier to entry for finding vulnerabilities is rapidly disappearing. Tasks that once required highly specialized expertise can now be assisted or accelerated by AI systems. 

In other words: 

Zero-day discovery may soon occur at machine speed. 

Organizations that fail to adopt AI-assisted security testing risk falling behind attackers who are already experimenting with these techniques. 

Autonomous AI Bots Are Now Attempting Real Attacks 

If the JWT story shows the promise of AI in security research, the next story highlights its darker potential. 

Researchers recently documented a week-long automated attack conducted by an AI agent built using an open-source system called OpenClaw. 

The bot, called HackerBot, was tasked with one simple objective: 

Find and exploit vulnerabilities in GitHub repositories. 

The AI scanned public repositories and targeted GitHub Actions workflows, which are commonly used to automate software development tasks like code testing, merging pull requests, and deployment. 

Out of seven targeted projects, the bot successfully compromised four. 

The attack methods included: 

• Injecting malicious code into pull request scripts 
• Exploiting workflows that executed untrusted code 
• Using branch names to inject shell commands into automation pipelines 

In one particularly creative example, the attacker embedded a malicious command directly into the branch name. Because the workflow piped the branch name into a shell command, the injected payload executed automatically. 

The bot also compromised a repository owned by Microsoft using this technique. 

In another case, it stole credentials from a compromised repository and used them to vandalize project files and upload suspicious artifacts to developer tools. 

This experiment demonstrated something significant: 

An AI agent can now execute large portions of the attack chain autonomously. 

The human operator only needed to provide the objective. 

The AI handled: 

• reconnaissance 
• vulnerability discovery 
• exploitation attempts 
• credential theft 

In at least one instance, the attack was blocked by defensive AI that detected the prompt injection attempt and flagged it as malicious. 

If that sounds like science fiction, it is not. 

It is AI vs. AI security warfare beginning to emerge in real-world environments. 

A New California Law Raises Questions About Privacy and Age Verification 

The final topic shifts away from direct cyber threats and toward internet governance. 

California recently passed Assembly Bill 1043, which will require operating systems to provide age verification signals for applications starting in 2027. 

The goal is simple: protect children from harmful online content. 

Instead of every website implementing its own age verification system, operating systems would verify a user’s age and share a simple age band with applications, such as: 

• under 13 
• 13 to 16 
• 16 to 18 
• over 18 

On paper, the idea sounds reasonable. 

In practice, it raises serious concerns. 

For example: 

• Current operating systems often rely on self-reported birth dates 
• Open-source operating systems may not be able to implement the requirement 
• Privacy risks increase if identity verification becomes mandatory 

Critics argue the law could create unintended consequences, including: 

• forcing platforms to collect more personal data 
• encouraging people to bypass verification with VPNs 
• complicating compliance for open-source ecosystems 

The broader issue is that age verification on the internet remains an unsolved problem. 

Centralized verification systems introduce privacy risks, while decentralized implementations often fail to prevent bypasses. 

As the hosts note, the likely outcome is that the first few attempts will be messy before the industry eventually settles on a workable standard. 

AI Is Reshaping Cybersecurity 

Across all three stories, one theme stands out. 

AI is fundamentally changing how cybersecurity works. 

It is accelerating: 

• vulnerability discovery 
• attack automation 
• defensive detection systems 

Security teams that adopt AI tools will gain powerful advantages. 

Those that do not may find themselves defending against threats that evolve faster than human analysts can respond. 

The cybersecurity industry is entering a new phase where automation, AI agents, and machine-assisted security research are becoming the norm rather than the exception. 

The key challenge now is ensuring these tools strengthen defenses faster than attackers can weaponize them. 

Three stories, one theme: control planes, supply chains, and human workflows remain high-leverage targets. 

This Secplicity blog follows the sequence and details covered by Marc Laliberte and Corey Nachreiner in The443 Podcast Episode 360. 

1) Cisco Catalyst SD-WAN 0-Day (CVSS 10): What happened 

Cisco disclosed and patched a 0-day vulnerability in the Catalyst SD-WAN controller and SD-WAN manager. The issue is scored 10 out of 10 on CVSS. 

• Cisco published an advisory. 
• Cisco Talos published a write-up. 

The vulnerability is described as an authorization bypass that can allow a remote attacker to log in as a high-privileged, non-root user, which can enable manipulation of network configuration on SD-WAN controllers. The write-up also notes an escalation path to root by downgrading, exploiting a 2022 vulnerability, and upgrading again. 

Why this matters operationally 

An internet-exposed SD-WAN controller is an edge-adjacent control-plane system. If it is compromised, an attacker can effectively peer into the network and gain access behind it. These controllers often sit at the gateway, sometimes in front of routing or security devices, which makes them a strategic position for an adversary. 

Cisco and Talos associate exploitation with a China-based threat actor, with activity dating back to at least 2023. In some cases, attackers achieved root persistence via the downgrade-exploit-upgrade mechanism. In most other cases described, attackers established unauthorized SD-WAN peering connections that can look normal unless teams are paying close attention, but still provide access. 

2) What MSPs should do: Patch, verify, and hunt 

Patch immediately, then validate remediation 

Upgrade affected Catalyst SD-WAN controller and manager systems. For MSP operations, remediation is not complete until it is verified at scale. 

Minimum verification standard: 

• Confirm versions post-upgrade across all managed instances. 
• Record verification timestamps. 
• Tie changes back to tickets or change records. 

Manually review all SD-WAN peering connections 

Cisco guidance includes manually reviewing SD-WAN peering connections for unexpected activity. 

Important nuance from the discussion: the “IOC” involved is not a unique malicious log event. It is a legitimate peering log you would normally see. The real check is whether the peering clients and IP addresses are the ones you expect. 

What to look for: 

• Peerings that do not map to known sites, tenants, or providers 
• Peerings created or changed outside approved change control 
• Unexpected IP addresses associated with peering activity 

Hunt for the “minor IOC” related to vmanage-admin 

Cisco also points to a smaller indicator: 

• Look for SSH authentication log entries related to “accept public key” for vmanage-admin. 

Practical triage: 

• Pull SSH authentication logs for the exposure window. 
• Investigate any vmanage-admin public key acceptance that does not match known admin workflows. 
• Treat unexplained findings as potential compromise until ruled out. 

Treat edge devices like software: update cadence matters 

Network firmware and appliance updates should be checked on a regular cadence. Even if updates land less frequently than application patches, the check-and-update motion needs to be consistent. 

3) Shai-Hulud style NPM worm: Poisoning AI toolchains 

Researchers at Socket, a supply chain security company, published research describing a Shai-Hulud style NPM worm poisoning AI toolchains. 

Quick refresher: 

• NPM is the Node Package Manager index, a widely used open-source ecosystem for JavaScript libraries (front-end and back-end). 
• Shai-Hulud references the sandworm in Dune and has been used to label self-propagating worm campaigns in the NPM ecosystem. 
• Prior campaigns included self-replicating worms that stole secrets and infected other packages, with significant impact. 

How malicious packages get into ecosystems (as covered) 

Common paths include: 

• Typosquatting (near-identical package names) 
• Taking over packages when a maintainer abandons one (design weaknesses and ownership transitions) 
• Social engineering maintainers for credentials and using a legitimate package as “patient zero” (the prior example discussed was a popular package compromise used to seed propagation) 

What this specific campaign did 

• Deployed across 19 malicious NPM packages initially. 
• Primarily used typosquatting. 
• Named “sandworm mode” based on environment variables embedded in the malware used as a toggle flag (likely controlling propagation behavior). 

Concrete example: 

• support-color impersonating legitimate supports-color. 
• A subtle naming difference can be enough to trick developers, and ordering or tab-complete behavior can increase the likelihood of selecting the malicious one. 

Propagation and tooling abuse 

Propagation used a combination of: 

• Weaponized GitHub Actions (automation workflows in repositories) 
• Secret harvesting, which can enable automated spread to other packages and repos 

AI-specific targeting: MCP server prompt injection 

Modules directly targeted AI coding assistants: 

• A malicious MCP server is written locally on a developer workstation. 
• Tools are registered that appear benign, including names like: 
• index_project 
• lint_check 
• scan_dependencies 

Each tool contained embedded prompt injections instructing an AI coding assistant to steal SSH keys and sensitive environment variables, save them adjacent, and avoid notifying the user. 

“Living off the land” AI polymorphism 

The malware also included a dormant polymorphic engine that looks for local installations of Ollama and uses local LLM tooling to rewrite code dynamically. This is a “living off the land” approach, but applied to local AI tooling. 

Multi-stage behavior and destructive failsafe 

Stages described: 

1. JavaScript loader 
2. Lightweight credential harvester (developer secrets in working directory) 
3. Deep harvester (additional secrets, databases, crypto wallet keys) 
4. Propagation and persistence 

A notable detail: a “dead switch” behavior where loss of GitHub connectivity can trigger self-destruction, including deleting contents of the user’s home directory. 

MSP takeaway 

Supply chain threats are not theoretical. If your operations include scripts, integrations, internal tooling, or any code-based automation, treat dependency risk as production risk. 

Operational controls that map directly to this threat: 

• Pin dependencies and enforce lockfiles 
• Require review for dependency changes 
• Scan for secrets in repos and CI logs 
• Apply software composition analysis and SBOM practices 
• Limit AI tool access to secrets by default, including SSH keys and environment variable stores 

4) Fake job interviews targeting developers: Bitbucket repos and VS Code execution paths 

Microsoft Defender researchers published an analysis of a coordinated campaign designed to compromise software developers using fake job interviews as the lure. 

How it was detected: 

• Defender telemetry showed outbound connections to known attacker command-and-control infrastructure. 
• Connections originated from Node.js processes on compromised systems. 

Initial delivery: 

• Traced back to malicious software repositories hosted on Bitbucket. 
• Additional related repos were identified through naming patterns and code structure similarities. 

Three execution paths described 

All three paths ultimately ran attacker-controlled JavaScript on developer machines: 

1. VS Code workspace automation triggered via the “folder open” hook 
2. The developer manually runs the application, which decodes a base64-encoded URL and retrieves a JavaScript loader hosted on a trusted external platform 
3. Use of environment files and application logic to open a backdoor to attacker servers 

Post-exploitation flow 

• A first-stage beacon registers the victim system with attacker infrastructure. 
• A second-stage JavaScript loader enables in-memory execution (fileless behavior). 
• Exfiltration mechanisms are included. 

Practical defense that fits real workflows 

VS Code includes a control that matters here: 

• When opening a new folder, VS Code prompts whether the folder is trusted. 
• Selecting “no” disables a set of automations and hooks that can execute without user awareness. 

Human safety checks from the discussion also apply: 

• Be wary of code tests arriving before meaningful interaction with a legitimate employer. 
• Do not treat unsolicited projects as safe by default. 
• Pause before trusting and running unknown code. 

What ties these together 

• Control-plane and edge systems remain prime targets. 
• Supply chain compromise continues to scale impact, now intersecting with AI-assisted development workflows. 
• Social engineering targets the moment a human opens or runs code, and modern dev tooling can execute on “open” events.

The past 18 months have been shaped by a surge in brute-force attacks and critical vulnerabilities (CVEs) targeting VPNs, authentication services, privilege elevation, and denial of service across the network security landscape. This timeline outlines key advisories and CVEs beginning with Cisco Talos’ landmark SSL VPN brute-force advisory in March 2024 and culminating in the most recent threat signals as attacks evolve to breaching network security vendors directly.     

Cisco Talos Sounds the Alarm 

March 2024: Cisco Talos began monitoring a large-scale surge in brute-force attacks targeting VPNs, SSH services, and web authentication interfaces. These attacks were largely indiscriminate, originating from TOR exit nodes and anonymizing proxies, and aimed at services including Cisco Secure Firewall VPN, Check Point VPN, Fortinet VPN, SonicWall VPN, RD Web Services, and others.  

The brute-force attempts used both generic and organization-specific usernames, leading to account lockouts, unauthorized access, and denial-of-service (DoS) conditions. 

However, there were earlier signs in February 2024 to indicate that at least three CVEs on Fortinet VPN Vulnerabilities were already actively being exploited. 

• CVE-2024-21762: A critical out-of-bounds write vulnerability in the FortiOS SSL-VPN component that could enable unauthenticated attackers to execute arbitrary code or commands. This vulnerability was actively exploited by threat actors. 
• CVE-2024-23113:  A format string vulnerability in the FortiOS SSL-VPN that could allow unauthenticated attackers to execute arbitrary code or commands. 
• CVE-2024-50562: An improper access control vulnerability in the SSL-VPN cookie, which could allow for insufficient session expiration.  

The Original “Blast-RADIUS” Vulnerability  

July 2024: The disclosure of CVE-2024-3596 known as Blast-RADIUS, marked a pivotal moment in the evolution of authentication-related vulnerabilities. Unlike traditional brute-force or credential stuffing attacks, Blast-RADIUS exploited a cryptographic weakness in the RADIUS protocol itself, allowing attackers to forge authentication responses without needing credentials or shared secrets. 

The flaw affected any RADIUS implementation based on RFC 2865, making it protocol-level and vendor-agnostic. This means that hundreds of products across dozens of vendors are vulnerable, including: Cisco ASA, FTD, FMC, Meraki MX, Duo Proxy, ISE, Catalyst SD-WAN, Nexus, UCS, Juniper Networks: SRX and MX series, Microsoft: NPS (Network Policy Server), Red Hat: FreeRADIUS and PAM modules, SonicWall, Fortinet, Aruba, Palo Alto Networks, and numerous other vendors.  

The vulnerability sparked widespread concern due to its stealthy nature and broad applicability. Security researchers emphasized that Blast-RADIUS was not just a bug, but a fundamental flaw in the protocol design, akin to Heartbleed or Log4Shell in terms of systemic risk.  

The Blast-RADIUS disclosure accelerated several industry-wide shifts: 

1. Migration to Encrypted RADIUS: Organizations began transitioning to RADIUS over TLS/DTLS, especially in cloud and hybrid environments.
2. Protocol Audits: Vendors initiated cryptographic reviews of legacy protocols, including TACACS+, LDAP, and Kerberos.
3. Authentication Hardening: Businesses adopted multi-factor authentication (MFA) and certificate-based access to reduce reliance on vulnerable protocols.
4. Zero Trust Adoption: The event reinforced the need to deny access by default, identity aware policy-based access control, and secure access service edge (SASE) with zero trust network micro-segmentation. 

SonicWall SSL VPN Exploitation  

August 2024: SonicWall confirmed that recent attacks on Gen 7 firewalls with SSL VPN enabled were linked to CVE-2024-40766, a critical improper access control vulnerability disclosed related to unauthorized access and firewall crash (denial of service). 

Attack Vectors: 

• Password re-use during migration from Gen 6 to Gen 7 firewalls
• Brute-force and MFA bypass attempts
• Deployment of Akira ransomware following initial access 

SonicWall advisory emphasized that the threat was not a zero-day, but rather a result of unpatched systems and poor credential hygiene.  

Cisco VPN Brute Force Denial of Service Vulnerability 

October 2024: Cisco disclosed CVE-2024-20481, a vulnerability in its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. This flaw allowed unauthenticated attackers to trigger DoS by flooding VPN authentication requests, exhausting system resources. 

The vulnerability was actively exploited and added to CISA’s Known Exploited Vulnerabilities catalog. Cisco confirmed the link between this CVE and the brute-force activity observed earlier in the year. 

WatchGuard Global SSL Brute-Force Activity Bulletin 

October 2024: WatchGuard similarly observed global SSL VPN credential and authentication brute-force activities significantly increased in scale. A Knowledge Base Article with information and best practices for dealing with brute-force disruptions is continually being updated based on the systemic risk posed by these vulnerabilities. 

Microsoft observes intrusion activity successfully stealing credentials in password spray attacks 

October 2024: Since August 2023, Microsoft has observed intrusion activity targeting and successfully stealing credentials from multiple Microsoft customers that is enabled by highly evasive password spray attacks. Microsoft has linked the source of these password spray attacks to a network of compromised devices tracked as CovertNetwork-1658, also known as xlogin and Quad7 (7777). 

Password spaying attacks on Citrix NetScaler/Gateway 

December 2024: Some of these attacks have targeted NetScaler appliances. Cloud Software Group has collaborated with affected customers to analyze the issues and recommend remediations. These attacks are consistent with password spraying attacks and are distinct from brute force attacks – instead of trying many passwords against a single account, attackers try a small set of common passwords against many accounts to avoid detection and account lockouts. 

SonicWall – SSL VPN Authentication Bypass Vulnerabilities 

January 2025: Another series of vulnerabilities and CVEs issued by SonicWall included: 

• CVE-2024-40762 - SonicOS SSLVPN Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG). Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in the SonicOS SSLVPN authentication token generator that, in certain cases, can be predicted by an attacker potentially resulting in authentication bypass.
• CVE-2024-53704 - SonicOS SSLVPN Authentication Bypass Vulnerability. An Improper Authentication vulnerability in the SSLVPN authentication mechanism allows a remote attacker to bypass authentication.
• CVE-2024-53705 – SonicOS SSH Management Server-Side Request Forgery Vulnerability. A Server-Side Request Forgery vulnerability in the SonicOS SSH management interface allows a remote attacker to establish a TCP connection to an IP address on any port when the user is logged in to the firewall.
• CVE-2024-53706 - Gen7 SonicOS Cloud NSv SSH Config Function Local Privilege Escalation Vulnerability. A vulnerability in the Gen7 SonicOS Cloud platform NSv (AWS and Azure editions only) allows a remote authenticated local low-privileged attacker to elevate privileges to `root` and potentially lead to code execution. 

Ivanti Connect Secure VPN and ZTA Gateway Zero-Day Exploit 

January 2025: Ivanti disclosed two vulnerabilities, CVE-2025-0282 and CVE-2025-0283, impacting Ivanti Connect Secure (“ICS”) VPN appliances. CVE-2025-0282 is a stack-based buffer overflow in Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA gateways that allows a remote unauthenticated attacker to achieve remote code execution, while CVE-2025-0283 allows a local authenticated attacker to elevate their privileges. 

Ivanti has released patches for the vulnerabilities exploited in this campaign, and Ivanti customers are urged to follow the actions in the Security Advisory to secure their systems. 

Fortinet warns of Authentication Bypass Zero-Day to hijack firewalls 

January 2025: Attackers are exploiting a new authentication bypass zero-day vulnerability in FortiOS and FortiProxy to hijack Fortinet firewalls and breach enterprise networks. This security flaw, CVE-2024-55591 impacts numerous Forti products and successful exploitation allows remote attackers to gain super-admin privileges by making malicious requests to the Node.js websocket module. 

Fortinet says attackers exploiting the zero-day in the wild are creating randomly generated admin or local users on compromised devices and are adding them to existing SSL VPN user groups or to new ones they also add. 

Critical CVEs Surface for Cisco VPN and Cisco Meraki Gateways  

June 2025: A new CVE-2025-20271 vulnerability in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z Series Teleworker Gateway devices could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition in the Cisco AnyConnect service on an affected device. This vulnerability is due to variable initialization errors when an SSL VPN session is established.  

An attacker could exploit this vulnerability by sending a sequence of crafted HTTPS requests to an affected device. A successful exploit could allow the attacker to cause the Cisco AnyConnect VPN server to restart, resulting in the failure of all established SSL VPN sessions and forcing remote users to initiate a new VPN connection and re-authenticate. A sustained attack could prevent new SSL VPN connections from being established, effectively making the Cisco AnyConnect VPN service unavailable for all legitimate users. 

Multiple Vulnerabilities in Cisco Secure Firewall ASA and Secure Firewall Defense –Remote Access SSL VPN and Denial of Service  

August 2025: Cisco releases a cumulative security advisory affecting RADIUS remote code, IKEv2 denial of service, IPSec Denial of Service, DNS Inspection Denial of Service, Remote Access SSL VPN DoS, certificate DoS, VPN Web DoS, Authorization Bypass, and DHCP DoS among many others Cisco Event Response: August 2025 Cisco Secure Firewall ASA, Secure FMC, and Secure FTD Software Security Advisory Bundled Publication 

Surge in coordinated scans target Microsoft RDP and RD Web 

August 2025: GreyNoise Threat Signals releases early warning on a sudden surge in RDP Probing. GreyNoise observed a sharp surge in scanning against Microsoft Remote Desktop (RDP) services. Nearly 2,000 IPs ‒ the vast majority previously observed and tagged as malicious ‒‒ simultaneously probed both Microsoft RD Web Access and Microsoft RDP Web Client authentication portals. The aim was clear--test for timing flaws that reveal valid usernames, laying the groundwork for credential-based intrusions. 

A shift from targeting Fortinet VPN to FortiManager 

August 2025 –GreyNoise Threat Signal releases early warning on the shift from brute-force attacks against targeting Fortinet SSL VPNs to traffic moving from FortiOS targeting to FortiManager.  GreyNoise research has shown that spikes in attacker activity often precede new vulnerabilities affecting the same vendor ‒ with 80 percent of observed cases followed by a CVE disclosure within six weeks. 

SonicWall Warns Customers to Reset Credentials after Security Breach 

September 2025: SonicWall warned customers today to reset credentials after their firewall configuration backup files were exposed in a security breach that impacted MySonicWall accounts. After detecting the incident, SonicWall has cut off the attackers' access to its systems and has been collaborating with cybersecurity and law enforcement agencies to investigate the attack's impact. 

This disclosure follows a resurgence by the Akira ransomware gang that continues to gain access to targeted networks via unpatched SonicWall CVE-2024-40766 improper access control vulnerability and may have access to backup firewall configurations from the MySonicWall security breach.  

Tactics, Techniques and Takeaways 

1. Brute-Force Attacks Are Evolving 
Brute-force methods remain prevalent, attackers are increasingly moving away from protocol exploits to leveraging custom TCP signatures, shifting to new TCP and client signatures, to configuration-level exploitation and privilege elevation (and even theft of firewall configuration back-ups). 

2. VPNs and Remote Access Remain Prime Targets 
Cisco, Fortinet, and SonicWall VPNs have been repeatedly targeted with attackers exploiting both brute-force techniques and CVEs to bypass access controls, forging authentication responses without needing credentials or shared secrets and causing Firewall and VPN denial of service (DoS) by flooding these services with unauthorized requests. 

3. Password-Spray Attacks are stealthier and highly evasive 
These attacks focus on the use of a rotating set of thousands of IP addresses at any given time and low-volume password spray process; for example, monitoring for multiple failed sign-in attempts from one IP address or to one account will not detect this activity. 

Turning Awareness Into Actions 

Brute-force, password spray and protocol-level exploits thrive on weak, default and static access controls, outdated configurations and unpatched infrastructure.  

Here’s how to disrupt the playbook: 

Strengthen Identity Security 

• Enforce Multi-Factor Authentication (MFA): Stop unknown, unverified users and credentials from gaining access, period.
• Enable Zero Trust Authentication Policies: Set zero trust access conditions for network location, geofence, and time schedule.
• Limit Concurrent Login Sessions:  Reject subsequent login attempts and limit concurrent user session by remote access and VPN clients.  

Update Firewall Software and Configurations  

• Set Geolocation Policy: Blocking incoming connections with a Geolocation policy is an effective way to prevent brute force attacks and mitigate current attacks from users outside your country. All incoming connections are handled by the policy, which can deny incoming connections before the request reaches on-premises servers, cloud gateways and cloud-based authentication services.
• Enable Botnet Detection: When enabled, the Botnet Detection service prevents any known botnet IP address from establishing a successful connection to the WatchGuard SSLVPN policy before it reaches the SSLVPN backend services and authentication services.
• Block Failed Logins: Use the Block Failed Logins feature to detect and prevent brute force attacks from within countries where you do business. This feature dynamically blocks all authentication attempts from a source IP address when there are repeated authenticate attempts with unknown users or invalid passwords.  

Consider One Powerful MDR Service 

Consider whether Managed Detection and Response is your forward path. MDR delivers precise, powerful protection without adding to your workload. Get full-stack coverage across WatchGuard endpoint, firewall, identity plus critical third-party cloud services ‒ all managed through one unified platform. 24/7 SOC combines AI-driven automation with real human expertise, cutting through the noise to stop threats faster. No endless alerts, no wasted time – just real security outcomes.