Retry in progress
You have 1 previous attempt for this scenario. Submitting again will create a new attempt and show a comparison against your most recent response.
Brute ForceDifficulty · mediumCritical asset
Automated alert from SIEM (rule: AUTH-BRUTE-05)
Between 03:27 and 03:42 UTC, the account "admin@acme-corp.com" on the corporate VPN gateway (vpn.acme-corp.com) received 247 failed authentication attempts from 185.220.101.34, followed by 1 SUCCESSFUL login at 03:42:11 UTC.
After the successful login, the session initiated connections to 10.20.0.0/16 (internal HR subnet). MFA was not enabled on this account — an exception was granted 9 months ago and never reviewed.
Please investigate and respond.
— SIEM
Evidence
VPN gateway auth log (abbreviated)
Apr 19 03:27:03 vpn-gw auth: FAIL user=admin src=185.220.101.34 reason="bad password"
Apr 19 03:27:05 vpn-gw auth: FAIL user=admin src=185.220.101.34 reason="bad password"
... (245 similar lines) ...
Apr 19 03:42:11 vpn-gw auth: SUCCESS user=admin src=185.220.101.34 session=7f2a91
Apr 19 03:42:40 vpn-gw flow: session=7f2a91 -> 10.20.0.15:445 (SMB)
Apr 19 03:43:12 vpn-gw flow: session=7f2a91 -> 10.20.0.22:3389 (RDP)
Apr 19 03:45:02 vpn-gw flow: session=7f2a91 -> 10.20.0.22:3389 (RDP, active)
# Threat intel lookup
185.220.101.34 — known Tor exit node, last seen in credential-stuffing campaigns (TI feed: abuse.ch)
Affected asset
- Name
- vpn.acme-corp.com / admin account
- Type
- Privileged VPN gateway account
- Owner
- IT Infrastructure
- Level
- Critical