Recently, we discovered a security vulnerability for one of our clients that could have escalated into a serious issue. The client had a VPN user portal exposed to the internet, even though it was not actively being used. This oversight created an attack vector that was being exploited by malicious actors.
The issue came to light when certain user accounts were locking out far more frequently than usual. Investigating further, by checking the Domain Controller’s Event Viewer, we found numerous failed logon attempts tied to those accounts. The source IPs traced back to the firewall. Digging into the firewall logs, we confirmed a flood of login attempts targeting the unused VPN portal.
We immediately disabled the portal, cutting off the attack surface before any damage was done. This action was taken before the client’s Managed Detection and Response (MDR) service even flagged the activity.
Why This Matters
This incident highlights two critical points: First, unused services, such as the VPN portal in this case, should always be disabled to minimize attack surfaces. Second, proactive monitoring and investigation can often catch threats before automated tools respond. While MDR solutions are valuable, human expertise and vigilance remain essential in securing IT environments.
This incident also highlights the value of having a SIEM solution. While we were able to manually identify and stop the malicious login attempts, a SIEM would have detected the pattern of failed logins across the firewall and domain controller in real-time, significantly speeding up the response and concluding that the account lockouts were due to malicious brute force attempts.
If your organization isn’t regularly auditing its exposed services or monitoring unusual activity, you could be leaving vulnerabilities open for exploitation.