2025-03-05 - Version 2

Spray and Pray: Botnet Takes Aim at Microsoft 365

Researchers at SecurityScoreCard recently discovered a botnet of over 130,000 devices is conducting password spray attacks against Microsoft 365. Although it hasn’t been confirmed, signs point to the responsible group being from China – the command-and-control servers are hosted in China and set to a timezone for Asia/Shanghai, and some of the hosting infrastructure was traced back to two Chinese providers. Researches estimate this has been in progress since December of 2024.

Microsoft has been rolling out required MFA (multi-factor authentication) for some time now, but the attackers specifically targeted non-interactive accounts. These accounts do not require manual login but are used by automated processes, background tasks, and service integrations. Since there is no human interaction, there is no MFA.

The likely goal of this attack is to gain access to sensitive data, e-mails, and collaboration tools like SharePoint.

Security researchers have called this “the next evolutionary step forward” of password spray attacks; let’s look at the components to see why this attack is particularly dangerous.

Non-interactive sign-ins: Why do we even have these?

At first glance, the idea of having an account that doesn’t require MFA seems really terrible, and on the surface, it is. But these accounts are used for things that don’t require human interaction – for instance, a service account that automatically logs into SharePoint to retrieve data or a background process making an API call to sync users between Entra ID and another external system. With no human there to enter the OTP or look at the authenticator app, no MFA is possible, but these tasks are critical to business function.

What exactly is a botnet?

A botnet is a network of compromised devices—computers, servers, and IoT devices—that a hacker controls remotely to perform malicious activities.

IoT devices are particularly attractive targets for hackers looking to build a botnet – they often have weak security controls, they rarely get security updates when vulnerabilities are found, and many times admins are not even aware they exist – one study found that 80% of IT leaders discovered an unknown IoT device on their network. When they do get compromised and end up as part of a botnet, it’s hard to tell – the only symptom might be an increase in traffic, which could escape regular monitoring.

The goal of a botnet is large-scale operations; one computer trying to unlock a password with a password spray attack could take years, given a reasonably complex password, but 130,000 devices trying all at once might take just a few hours.

How does a password spray attack work?

A password spray attack is a type of brute-force attack used to gain unauthorized access to user accounts, systems, or networks. It’s different from a traditional brute-force attack, where an attacker attempts to guess a password by systematically trying all possible combinations. In a password spraying attack, the attacker tries a small number of common passwords or a list of commonly used passwords against a large number of usernames or accounts.

The goal of a password spraying attack is to exploit the fact that many users use weak or easily guessable passwords, such as “password,” “123456,” or “admin.” Instead of trying to guess a specific user’s password, the attacker focuses on gaining access to multiple accounts by trying these common passwords against a broad range of usernames.

What makes this attack particularly egregious is the targeting of the non-interactive accounts. Most password spray attacks are thwarted by basic security measures like locking out after a certain number of incorrect passwords, but non-interactive accounts don’t usually have this enabled. Admins would also monitor security logs and set up alerts to be notified if there were suddenly a storm of failed login attempts, but non-interactive logins have their own logs, which are usually ignored. So as long as the background processes are working (the sharepoint backup, the ID sync as mentioned above), there would be a really good chance no one would ever check to see all these failed logins.

NAC and Conditional Access to the rescue!

Many of the articles mention that targeting these non-interactive sign-on accounts bypasses conditional access policies, but the truth is that with a good set of policies, you can still protect yourself from attacks like these.

Role-based and location-based access control are key – If you have a machine account that is designed to back up SharePoint or write to a database, those should be the only things it can access, with the least amount of rights to accomplish the job. This protects you in the event of a breach – the amount of data that can be stolen is extremely limited. Location-based access will protect you against connections from places you know your employees are not located.

Next, you can implement endpoint risk assessment policies for all accounts – if the device they are trying to connect from does not have required software, or anti-virus, or is not enrolled in your MDM, it can be an automatic failure. Or it could go to a quarantine network that has internet access but no access to your internal tools – this allows you to have a BYOD policy for employees but still keep your critical assets safe.

And finally, the big one – passwordless authentication. Swapping traditional passwords – and all the headache for users and IT departments they cause – for digital certificates is the best move you can make to keep your company secure. Digital certificates cannot be sprayed, brute forced, guessed, phished, or socially engineered. They can’t be forgotten, mistyped, or shared. With 80% of all data breaches starting with a compromised password, it’s clear that eliminating passwords significantly reduces your organization’s risk. By adopting passwordless authentication with digital certificates, you remove the weakest link in security—human error—while streamlining user access.

As attacks get more sophisticated, it’s important to have the right tools in place to keep you protected.

About Portnox
Portnox provides simple-to-deploy, operate and maintain network access control, security and visibility solutions. Portnox software can be deployed on-premises, as a cloud-delivered service, or in hybrid mode. It is agentless and vendor-agnostic, allowing organizations to maximize their existing network and cybersecurity investments. Hundreds of enterprises around the world rely on Portnox for network visibility, cybersecurity policy enforcement and regulatory compliance. The company has been recognized for its innovations by Info Security Products Guide, Cyber Security Excellence Awards, IoT Innovator Awards, Computing Security Awards, Best of Interop ITX and Cyber Defense Magazine. Portnox has offices in the U.S., Europe and Asia. For information visit http://www.portnox.com, and follow us on Twitter and LinkedIn.。

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

Dangerous liaisons in cybersecurity: Attackers improve their phishing methods

The latest ESET APT Activity Report shows improved phishing techniques that threat actors currently utilize, highlighting the need for high-quality cybersecurity awareness training.

A general recommendation about phishing attacks is not to click on anything that looks suspicious. That’s easy to follow when employees receive an email full of grammatical errors and typos from an unknown source.

However, adversaries have been improving their tactics and experimenting with new ways to make their potential victims fall for phishing — tactics that may not be so easy to spot. And it’s not only about using AI to create grammatically correct or more convincing emails. Recently, ESET researchers noticed a new trend among North Korea-aligned groups trying to build relationships with their targets before sending them malicious content.

Statistically speaking, since human error is involved in most data breaches, it is logical that threat actors don’t hesitate to leverage this major attack vector. To address this, ESET created ESET Cybersecurity Awareness Training, a story-driven course available in English, French, Spanish, and Chinese languages informing employees about current cyber threats and helping businesses with compliance and insurance issues.

A costly mistake

Verizon’s 2024 Data Breach Investigations Report shows that 68% of breaches involved a non-malicious human element, like a person falling victim to a social engineering attack or making an error.

Most of those attacks started with phishing (tricking a user into giving sensitive information or downloading malicious content) and pretexting (use of a fabricated story, or pretext, to gain a victim’s trust) via email, accounting for 73% of breaches.

In 2024, the number of detected breaches involving pretexting surpassed the number of breaches involving traditional phishing attacks, according to Verizon’s data. This could be one indicator that threat actors feel the need to use more sophisticated techniques against their targets, according to the report.

Breaches involving a human element are not only prevalent but also costly, according to IBM’s Cost of a Data Breach Report 2024 conducted by Ponemon Institute. Ponemon’s researchers looked at 604 organizations in 16 countries and regions, finding that an average business loss due to phishing has now reached USD4.88 million per breach. This makes phishing attacks the second costliest type of attack, right after impacts from malicious insiders, which account for an average of USD4.99 million.

I have a proposal for you

Recent ESET findings confirm this trend of threat actors utilizing improved social engineering techniques.

In Q2 2024–Q3 2024, ESET researchers saw the North Korea-aligned activity cluster Deceptive Development and North Korea-aligned group Kimsuky enhancing their phishing attacks with pretexting methods. For example, both tried to use fake job offers to approach the targeted individuals, and only after the victim responded and a relationship was established did threat actors send a malicious package to the victim.

Another group, Lazarus, distributed fake job offers for desirable positions at large companies like Airbus or BAE Systems and delivered trojanized PDF viewers along with decoy PDF documents. This group also impersonated recruiters on professional networks and work platforms, distributing trojanized codebases under the guise of job assignments and hiring challenges with the aim of cryptocurrency theft.

Kimsuky targeted North Korea experts working for NGOs and researchers in academic circles with fake requests to grant a media interview or give a presentation. They tried to establish a relationship with a good old apple-polishing ― sending amiable emails that praised the target’s expertise and asked for help. Once the attackers gained the trust of their victim, Kimsuky delivered a malicious package, usually disguised as a list of questions that should be answered before the event.

The BlackBasta ransomware gang also adopted this relationship-oriented method when targeting businesses, according to the recent discovery of the ReliaQuest threat research team.

First, they send mass email spam targeting employees, provoking them to create a legitimate help-desk ticket to resolve the issue. Then, attackers posing as IT support or help desk staff contact employees via Microsoft Teams chat and send them a malicious QR code, likely for downloading a remote monitoring and management (RMM) tool that BlackBasta can exploit.

How to avoid a toxic relationship

Seeing the above-mentioned cases, it is clear that employees are a critical component of any business’s security that needs to be taken care of. In general, cybersecurity awareness training not only helps businesses to deflect user-oriented cyberattacks and fulfill compliance/insurance requirements but also decreases losses in case of a successful breach by around 5.2%.

ESET acknowledges this threat vector with the global launch of ESET Cybersecurity Awareness Training, which complements ESET PROTECT, a multilayered AI-powered solution for businesses.

Both employee training and multilayered security are integral parts of what ESET calls a prevention-first approach designed to completely evade cyber threats or mitigate them with no or only minimal disruptions in the business flow. It is a complex strategy of shrinking the attack surface while effectively reducing the complexity of cyber defense.

ESET Cybersecurity Awareness Training aims for both of these goals. First, it helps employees to recognize standard and novel cybersecurity threats abusing human factors. Second, it is easy to deploy and operate thanks to deep integration possibilities with various systems, a customizable training portal, and an easy-to-use dashboard. Thus, businesses don’t need to spend more precious IT staff time on it than necessary.

Let’s make it interesting!

ESET Cybersecurity Awareness Training offers an engaging and story-driven experience that helps employees understand which common bad user habits of can endanger the whole company. It also explains how threat actors think — for example, how they search potential victims’ social network profiles to guess their passwords or impersonate them.

The training is based on three decades of ESET expertise in this area and is designed to change employee behavior, rather than merely to check a box for compliance or cyber insurance.

To keep employees vigilant in the long term, ESET Cybersecurity Awareness Training comes with phishing test simulations that businesses can run an unlimited number of times.

Benefits of Premium Cybersecurity Awareness Training

Comprehensive online cybersecurity awareness training courses
Multiple course options ranging from full 90-minute-long training to short courses taking from 5 to 15 minutes
Best practices for remote employees
Gamification that engages and changes behavior
Helps meet HIPAA, PCI, SOX, GDPR, CCPA compliance requirements
Helps meet cyber insurance requirements
Certification & LinkedIn badge
Unlimited phishing test simulations to test employees
Admin console allowing users to manage customizable groups of employees, track learners’ status, and run phishing simulation campaigns
School platform where employees can take their enrolled training
Automatic email reminders to learners
Deep integration with various popular third-party cloud-based services

Fruitful relationship with ESET

Even the best and most expensive cybersecurity solution in the world can be powerless against one fooled employee who shares their password or downloads a malicious file.

Help your employees to navigate through a maze of the evolving world of cyber threats and improve your defenses with ESET Cybersecurity Awareness Training.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

About Version 2 Digital

2025 ESET

Inside the Dark Web: How the Guardz Research Unit Unveils Emerging Cyber Threats Targeting Small Businesses

Exploring the Digital Underground to Safeguard SMBs

Cybercriminals are constantly evolving their tactics, leveraging hidden corners of the internet to sell access to small and medium-sized businesses (SMBs). To stay ahead of these threats, the Guardz Research Unit (GRU) continuously monitors dark web marketplaces, underground forums, and other cybercrime hubs to uncover the latest trends that put SMBs at risk.

Our latest investigation has revealed a concerning rise in cybercriminal services tailored specifically to targeting SMBs, including law and accounting firms. One alarming example: a dark web listing offering admin-level access to a U.S. law firm for just $600, exploiting an eight-year-old unpatched vulnerability.

This finding is just one of many that highlight the growing attack-as-a-service economy, where cybercriminals trade stolen credentials, exploit remote access systems, and sell persistent backdoor access, leaving businesses vulnerable to ransomware, fraud, and devastating reputational damage.

Key Trends Uncovered by the Guardz Research Unit:

Stolen Business Access for Sale – Dark web marketplaces feature listings for Remote Desktop Protocol (RDP) and Virtual Private Networks (VPN) credentials, granting full control over small business networks.
Cybercrime is Alarmingly Affordable – Attackers can purchase unauthorized access to SMBs, including law firms and accounting firms, at shockingly low prices, making these businesses prime targets for fraud and extortion.
Unpatched Vulnerabilities Fuel Attacks – Businesses failing to patch old security flaws remain wide open to breaches, with cybercriminals exploiting security gaps that have been disclosed for years.
Persistent Access and Long-Term Exploitation – Many attacks don’t end after initial access; criminals implant malware, keyloggers, and hidden backdoors, allowing them to return undetected for future data theft and extortion.

Why This Matters for SMBs

Small businesses, especially those handling sensitive financial and legal data, remain a primary focus of cybercriminal activity. The Guardz Research Unit is working to expose these threats in real-time so that SMBs can take proactive steps to secure their networks before they become the next target.

Cybercriminals innovate their tactics daily, so cybersecurity defenses must evolve just as fast. By staying informed on emerging threats, SMBs can adopt a proactive security approach to protect themselves, their clients, and their reputations.

At Guardz, we are committed to helping SMBs close security gaps and prevent breaches before they happen. Stay tuned for our full report, where we’ll dive deeper into the latest dark web discoveries and provide actionable security strategies to keep your business safe.

Protecting Those at Risk

As part of this investigation, Guardz identified a law firm that was specifically named within dark web forums. We took immediate steps to notify the firm, ensuring they are aware of the threat and can take appropriate measures to protect their systems. Guardz remains available to assist in securing their business and mitigating potential risks.

Additionally, in our published report, we have not disclosed any company names, identifiers, or details that could expose businesses to further threats. Our mission is to raise awareness and equip SMBs with the insights and tools they need to defend against cyber risks.

Findings from the Dark Web

GRU’s recent dive into dark web forums revealed an alarming trend: threat actors are actively targeting Small businesses, particularly law and accounting firms. The reasons are clear—these organizations handle sensitive and lucrative data, such as financial records, legal documentation, and personally identifiable information (PII), making them attractive to cybercriminals.

Key GRU findings include:

Exploitation of Unpatched Vulnerabilities: Over 15% of the analyzed dark web listings offered access to organizations through known vulnerabilities that had been disclosed years ago.
Sale of Stolen Credentials: Credentials for Small businesses networks—both admin-level and standard user accounts—are being sold at an average price of $600. Some listings even include bundled “access packs” with multiple entry points to the same organization.
Ransomware as a Service (RaaS): Cybercriminal groups are offering turnkey ransomware solutions on the dark web, making it easier than ever for even non-technical actors to launch devastating attacks.

These findings highlight the growing sophistication and accessibility of cybercrime, making Small businesses an increasingly vulnerable target.

Threat Analysis: How Small Businesses Are Being Exploited

1. Unpatched Vulnerabilities: A Ticking Time Bomb

In the Guardz Research Unit recent uncovered findings, an American law firm was still vulnerable to the EternalBlue exploit—a flaw in Windows’ Server Message Block (Small businesses) protocol disclosed back in 2017. This vulnerability was infamously exploited in the global WannaCry ransomware attack, which caused billions in damages. Despite being patched years ago, GRU found that threat actors were still leveraging it to gain access to unprotected networks.

The potential damage behind this vulnerability is equally alarming:

According to various estimations, over 100,000 devices worldwide are estimated to remain unpatched against EternalBlue.
A single ransomware attack exploiting this vulnerability can cost Small businesses an average of $120,000 in recovery expenses, not to mention reputational damage.

One dark web listing advertised admin-level access to a law firm’s network, complete with instructions on how to exploit the EternalBlue flaw, for just $600—a devastatingly low price for such significant access.

VPN Access to a law firm in Puerto Rico sold on the Darkweb

2. RDP and VPN Exploits: A Gateway for Attackers

Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) tools are critical for enabling remote work, but they have also become prime targets for cybercriminals. GRU identified multiple listings on dark web forums advertising access to small business networks through compromised RDP and VPN credentials.

High-Value Credentials: In one case, admin-level RDP credentials for an accounting firm were auctioned off for $1,800, giving the buyer unrestricted access to sensitive financial systems.
Low-Cost Entry Points: Lower-level credentials were available for as little as $300, yet they still offered significant opportunities for skilled attackers to escalate their access.

The potential threat here paints a grim picture:

A 2024 study by the Cyber Readiness Institute found that nearly two-thirds (65%) of global SMBs do not use MFA and have no plans to implement it in the near future.

RDP Access to accounting firm Sold on DarkWeb

3. Ransomware: The Hall of Shame

Ransomware gangs have evolved their tactics beyond simple file encryption. Today, these groups often engage in double extortion, threatening to leak sensitive data if ransom demands are not met. GRU documented a particularly devastating example involving a U.S. family law firm. After refusing to pay a ransom, the firm’s sensitive client data was leaked on a dark web “hall of shame” site, resulting in irreparable reputational damage.

The impact of ransomware on Small businesses is staggering:

Financial Losses: The average cost of a ransomware attack on small businesses is approximately $26,000.
Operational Disruptions: Following a ransomware attack, 50% of small and medium-sized businesses report that it took 24 hours or longer to recover, leading to significant downtime and loss of productivity.

The Risk and Potential Damages to Small Businesses

The infiltration of a small business network via Remote Desktop Protocol (RDP), VPN exploits, or unpatched vulnerabilities can lead to severe and often irreversible consequences. Once cybercriminals gain access, they can:

Deploy Ransomware: Attackers can encrypt all business-critical files, rendering systems inoperable until a ransom is paid—often in cryptocurrency. Many businesses that refuse to pay suffer prolonged downtime, loss of sensitive client data, and legal repercussions if personally identifiable information (PII) is exposed.
Steal and Sell Confidential Data: Law firms, accounting firms, and other professional service providers store sensitive financial records, legal case files, tax information, and personally identifiable data. Cybercriminals frequently sell or leak this data, leading to regulatory fines, lawsuits, and a loss of client trust.
Launch Fraudulent Transactions: With admin-level access, attackers can manipulate financial records, initiate fraudulent wire transfers, or reroute funds, causing direct financial losses that can be difficult to recover.
Set Up Persistent Access for Future Exploits: Many cybercriminals install backdoors, keyloggers, and other malware that allow them to return at will, siphon off data over time, or launch additional attacks without detection.
Use the Business as a Springboard for Attacking Others: A compromised firm can be leveraged to infiltrate clients, suppliers, or business partners, especially if they have interconnected networks or shared credentials. This can trigger legal liability and reputational damage that extends far beyond the initial breach.
Disrupt Operations for Extended Periods: For many small businesses, even a few days of downtime can be financially devastating. Attackers often sabotage systems, delete backups, or corrupt data to make recovery nearly impossible without external intervention.

Risks Amplified: Why Small Businesses Are Prime Targets

Small businesses often lack the resources and expertise of larger organizations, making them appealing targets for cybercriminals. Key risk factors include:

Inadequate Security Budgets: Many Small businesses operate on tight budgets, often prioritizing operational costs over cybersecurity.
Overlooked Patching: GRU’s findings show that many Small businesses fail to patch vulnerabilities in a timely manner, leaving them exposed to known threats.
Weak Credential Policies: The reuse of passwords across multiple accounts remains a widespread issue, providing easy entry points for attackers.
Supply Chain Vulnerabilities: Small businesses often rely on third-party vendors, creating additional attack vectors for cybercriminals.

Guardz: A Trusted Ally in Cybersecurity

As the cybersecurity landscape grows increasingly complex, Guardz is transforming the charge to protect small businesses. Through its innovative AI-powered platform, Guardz empowers MSPs to deliver cutting-edge cybersecurity solutions tailored to the needs of small businesses.

How Guardz Makes a Difference:

Proactive Threat Detection: Guardz’s platform identifies vulnerabilities and mitigates risks before they can be exploited.
Automated Responses: The platform provides real-time, automated responses to emerging threats, minimizing damage and downtime.
Cyber Awareness Training: Guardz equips small businesses with the knowledge and tools to recognize and respond to social engineering attempts, such as phishing attacks.
Phishing Simulations: To bolster defenses against one of the most common attack vectors, Guardz offers AI-powered phishing simulations, helping small businesses and their employees stay vigilant.

A Path Forward: Recommendations for Small Businesses

GRU’s findings serve as a wake-up call for small businesses across all sectors. To stay ahead of cybercriminals, small businesses must adopt a proactive approach to cybersecurity. Key recommendations include:

Regular Patch Management: Ensure all software and systems are up to date to eliminate known vulnerabilities.
Strong Credential Policies: Implement MFA and enforce unique, complex passwords across all accounts.
Data Backups: Maintain separate, secure backups of all critical data to ensure business continuity in the event of an attack.
Employee Training: Invest in ongoing cybersecurity awareness training to reduce the risk of human error.
Partner with an MSP: Work with a trusted MSP equipped with Guardz’s platform to ensure 24/7 protection.

The findings from the Guardz Research Unit highlight a sobering reality: the dark web is teeming with threats aimed squarely at small businesses. From unpatched vulnerabilities to stolen credentials and ransomware attacks, small businesses face a range of risks that can devastate their operations and reputations.

But it doesn’t have to be this way. By taking proactive measures and partnering with cybersecurity leaders like Guardz, small businesses can turn the tide, protecting their data, their clients, and their futures.

In an age where cybercrime shows no signs of slowing down, Guardz stands as a beacon of hope, empowering MSPs to safeguard the lifeblood of the economy and our small businesses. The message is clear: Stay vigilant, stay prepared, and let Guardz protect what matters most.

About Guardz
Guardz is on a mission to create a safer digital world by empowering Managed Service Providers (MSPs). Their goal is to proactively secure and insure Small and Medium Enterprises (SMEs) against ever-evolving threats while simultaneously creating new revenue streams, all on one unified platform.

About Version 2 Digital

2025 Guardz

Top Network Configuration Errors and How to Fix Them

Security incidents often arise from seemingly minor mistakes—misconfigurations that could otherwise be easily avoided.

Unencrypted communication, plain-text authentication, weak network segmentation, outdated operating systems and applications, and unsecured services are common yet often overlooked vulnerabilities. These misconfigurations create entry points or exploitation opportunities for potential attackers, putting your entire organization at risk.

In this article, we’ll uncover the most common configuration errors and outline practical steps to fix them, helping you build a more resilient and secure network.

Unsecured Services in the Perimeter

Configuration error: Services like web servers, Remote Desktop Protocol (RDP), or Secure Shell (SSH) exposed to the Internet without proper protection are easy targets for attackers.

Internet-exposed services are often overlooked, making them vulnerable. Attackers exploit these weaknesses through brute force attacks, unpatched software exploits, or simple misconfigurations, using unsecured services as entry points into your internal infrastructure.

The risk is further heightened by insufficient access restrictions, such as unrestricted global IP access. Without effective logging and monitoring, such breaches can go undetected for extended periods.

Recommended actions:

Deploy a Next-Generation Firewall (NGFW) and Web Application Firewall (WAF) to detect and block malicious activities.
Restrict access using IP whitelisting and geolocation rules (e.g., allow only IPs from trusted regions).
Avoid exposing services to the Internet unless absolutely necessary. Instead, manage access using Zero Trust Network Access (ZTNA) or a client VPN.

Pro tip: Regularly audit your exposed services to identify weaknesses and bolster overall protection.

Remote access via VPN

Configuration error: Improper VPN configuration often allows access to entire network segments rather than specific services, significantly increasing the risk of lateral movement or full network compromise.

Unrestricted access and lack of user activity visibility can turn your VPN into a weak security link. Transitioning to modern solutions like Zero Trust Network Access (ZTNA) or client VPN offers a much higher level of security by providing granular access control and minimizing exposure.

Recommended actions:

Restrict VPN access to only necessary services and resources.
Implement monitoring tools to track VPN activity and identify suspicious behavior.
Switch to ZTNA or client VPN for granular access control and enhanced security.

Bypassing Security Policies in Remote Access

Configuration error: Unauthorized devices or software used by vendors to bypass access policies creates direct access to your internal infrastructure, seriously compromising network security.

A common scenario involves “rogue” routers with cellular connectivity (4G/5G) that terminate VPN tunnels directly into your organization’s infrastructure. This undermines your existing security policies and grants direct access to the internal network.

Equally problematic is the use of software tools like SoftEther, which allow VPN connections over HTTPS from any device where the software is installed. This traffic mimics regular network communication, often bypassing detection by traditional firewalls. The result is hidden access, which can be exploited by attackers or even disgruntled employees for unauthorized activities or cyberattacks.

Recommended actions:

Conduct regular audits based on network traffic analysis to identify unauthorized devices, detect suspicious behavior, and uncover anomalous communication patterns.
Enforce the use of approved remote access solutions like ZTNA or client VPN.
Proactively disable unauthorized remote access devices and software.

Pro Tip: Use tools like GREYCORTEX Mendel to detect unauthorized remote access and enforce security policies.

Unauthorized Access Between Network Segments

Configuration error: Poor segmentation and inadequate communication control between networks allow devices from less secure environments to access your internal resources, significantly increasing security risks.

One of the fundamental principles of secure network design is proper segmentation and controlled communication between network segments. However, it is common to find devices from separate networks, such as guest Wi-Fi, gaining access to internal DNS or DHCP servers. These Wi-Fi devices, which often do not meet organizational security standards, pose a significant risk if communication is not properly restricted.

Recommended actions:

Implement strict network segmentation and block unauthorized communication between segments.
Monitor traffic between segments to detect unauthorized communication.
Regularly audit your network infrastructure configurations to identify vulnerabilities.

Pro Tip: Visualize inter-segment communications with tools like GREYCORTEX Mendel to identify potential weak points.

Unencrypted Communication and Plain-Text Authentication

Configuration error: Unencrypted protocols such as HTTP, Telnet, or TFTP, along with plain-text authentication, leave organizations vulnerable to eavesdropping and credential theft.

This issue often stems from legacy systems or misconfigurations that fail to support modern encrypted protocols. Attackers can intercept unencrypted communications to access sensitive data. For legacy systems that cannot be quickly replaced, it is essential to assess the risk, implement necessary safeguards, and develop a medium-term plan for mitigation.

Recommended actions:

Switch to encrypted protocols, such as HTTPS, SSH, or SFTP.
Identify systems lacking encryption support and create an upgrade plan.

Pro Tip: Regularly scan your network for unencrypted communication and plain-text authentication.

Outdated or Weak Encryption Standards

Configuration error: Outdated encryption protocols, such as TLS 1.0/1.1, leave organizations vulnerable to modern threats like eavesdropping and cyberattacks.

Outdated encryption protocols are often found in legacy systems or arise from misconfigurations. In the case of misconfigurations, switch to secure protocols immediately. For legacy systems where replacement may be challenging, document the risks and develop a medium-term plan to transition to modern encryption standards, ensuring your critical data remains protected.

Recommended actions:

Upgrade encryption standards to secure versions, such as TLS 1.2/1.3.
Identify systems using outdated protocols and schedule updates.
Restrict access to systems still reliant on outdated encryption.

Pro Tip: Use tools like GREYCORTEX Mendel to identify systems using weak encryption protocols.

External DNS Requests

Configuration error: Devices communicating directly with external DNS servers increase the risk of exposing sensitive infrastructure data and them being exploited through DNS tunneling techniques.

Devices within internal, server, or technology networks should only use organization-managed DNS servers. External DNS queries pose particular risks in environments with IoT devices or less secure endpoints, allowing attackers to exploit vulnerabilities like DNS spoofing or covert tunneling.

Recommended actions:

Ensure internal devices communicate only with an authorized internal DNS server, which alone resolves external queries.
Monitor DNS traffic for anomalies, such as unauthorized queries to public DNS servers.
Block external DNS queries at the firewall level to secure your internal infrastructure.

Pro Tip: Leverage tools like GREYCORTEX Mendel to detect unauthorized DNS communication and improve network protection.

Unused IPv6 Communication

Configuration error: Active IPv6 communication on devices without deliberate use adds unnecessary network overheads and complicates management.
In many organizations, devices are configured with both IPv4 and IPv6 addresses, even when IPv6 is not actively used. This results in redundant multicast and anycast queries, increasing your network traffic without providing value.

Recommended actions:

Disable IPv6 on devices where it is not required to reduce traffic.
Regularly monitor IPv6 traffic to identify inefficient flows.

Pro Tip: Ensure the compatibility of applications and devices relying on IPv6 before disabling it completely.

Effective Network Threat Prevention Begins with Proper Configuration

The misconfigurations highlighted above are not uncommon—they frequently surface during network audits across organizations of all sizes. Some issues can be resolved with simple configuration changes, while others demand a more strategic approach or infrastructure upgrades. Regardless of their complexity, early identification of these vulnerabilities is critical to preventing security incidents.

GREYCORTEX Mendel offers you a complete view of your network, detecting risks such as unencrypted communication, unauthorized access points, and problematic remote access methods. With Mendel, you can proactively identify vulnerabilities, minimize risks, and fortify your network before threats escalate.

About GREYCORTEX
GREYCORTEX uses advanced artificial intelligence, machine learning, and data mining methods to help organizations make their IT operations secure and reliable.

MENDEL, GREYCORTEX’s network traffic analysis solution, helps corporations, governments, and the critical infrastructure sector protect their futures by detecting cyber threats to sensitive data, networks, trade secrets, and reputations, which other network security products miss.

MENDEL is based on 10 years of extensive academic research and is designed using the same technology which was successful in four US-based NIST Challenges.