Password spray attacks against VPN services

You might not know this, but at ANSecurity, we maintain a network of internet-facing honeypots, deployed across a range of cloud environments. Ours are usually disguised to appear as VPN endpoints — hardly surprising, given the volume of attacks targeted at VPN services today.

These honeypots provide valuable insights into attacker behaviour, trends, and common tactics in the wild. And just last week, we observed a significant uptick in password spray attacks.

A New Focus: Non-Human Accounts Under Fire

Unlike traditional brute force attempts that target human users, this recent wave has had a different objective — service accounts and generic usernames like backupadmin, svc-user, or monitor1.

These are often overlooked in security audits, and attackers know it.

The passwords in use? Predictably seasonal: Summer2024, August2025, and variations that just about meet the 8-character minimum enforced by outdated password policies.

From our experience, and from working alongside incident response providers, these “non-human” (or as we like to say, silicon-based) accounts are the weakest link in many organisations:

• Created with simple, guessable usernames

• Default or weak passwords, often set manually and never updated

• Rarely protected by multi-factor authentication

• Frequently over-permissioned — and yes, we’ve seen some with Domain Admin rights

Where Are These Attacks Coming From?

In this particular case, attacks have been traced back to ten IP addresses, most of which Shodan.io lists as being hosted in Latvia. Nine appear to be running Windows Server 2022 with RDP exposed on port 3389 (clearly, attackers aren’t always great at securing their own infrastructure). The last is a Linux host with SSH access.

Plugging these into VirusTotal shows corroborating reports from others seeing similar brute force activity — especially against FortiGate VPN appliances.

While it’s tempting to speculate on attribution, without ISP or law enforcement involvement, we’re unlikely to get a definitive answer.

What Happens If They Get In?

Let’s walk through a worst-case scenario.

1. The attacker successfully authenticates using a valid service account.

2. They establish a VPN session and begin lateral movement, looking for vulnerable systems — such as an Active Directory Domain Controller.

3. If the compromised account is in the Domain Admin group, they now effectively own your network.

4. From here, they can:

   • Create new accounts for persistence (or hijack existing low-profile ones)

   • Disable logging and detection tools

   • Exfiltrate data quietly over time

   • Identify and disable backups before launching ransomware

And it’s not theoretical. With the rise of “EDR killers” (malware designed to disable endpoint protection tools), even the best defences are being bypassed.

Think It Couldn’t Happen to You?

It’s a scary story — but not an unrealistic one. So, let’s check a few things:

🔒 When was the last time you:

1. Tested that your VPN blocks brute force attempts?

2. Audited service accounts to ensure they’re using long, randomly generated passwords (and deleted any unused ones)?

3. Reviewed who has VPN access? Do you see Domain Users listed? If so — that’s a red flag.

4. Updated your MFA policy? Still relying on push-based MFA over RADIUS? That’s vulnerable to prompt bombing and accidental approvals.

If even one of these feels unfamiliar or outdated, it’s probably time to review your policies, processes — or invest in some new tech.

Time to Get Proactive

We know that reviewing service accounts or setting up automation for brute force protection doesn’t exactly spark joy. But the risks are real — and growing.

Modern security requires more than just firewalls and passwords. It’s about automating regular reviews, deploying adaptive MFA, and exploring passwordless authentication options like certificates.

If you’d like help reviewing your setup or getting started, speak to your ANSecurity account manager or contact us directly.