https://feed.craftedsignal.io/tags/bruteforce/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 22 Apr 2026 12:00:00 +0000https://feed.craftedsignal.io/briefs/2026-04-goanywhere-bruteforce/Wed, 22 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-goanywhere-bruteforce/Fortra's GoAnywhere MFT prior to 7.10.0 is vulnerable to brute-force attacks on SSH keys because the login limit is not enforced on the SFTP service when Web Users are configured to log in with an SSH Key.CVE-2025-14362 is a vulnerability affecting Fortra’s GoAnywhere MFT servers prior to version 7.10.0. The vulnerability arises because the login limit is not enforced on the SFTP service when a Web User is configured to authenticate using an SSH key. This lack of enforcement allows attackers to conduct brute-force attacks against the SSH key, attempting to guess the key through repeated authentication attempts. Successful exploitation grants unauthorized access to the GoAnywhere MFT server, potentially leading to data breaches, system compromise, and other malicious activities. Defenders should prioritize patching vulnerable GoAnywhere MFT instances to version 7.10.0 or later.

Attack Chain

1. Attacker identifies a GoAnywhere MFT server running a version prior to 7.10.0.
2. Attacker determines that the GoAnywhere MFT server allows Web Users to authenticate using SSH keys.
3. Attacker attempts to authenticate to the SFTP service using a series of generated SSH keys.
4. Due to the lack of login limit enforcement, the attacker can make unlimited authentication attempts without being locked out.
5. The attacker continues brute-forcing SSH keys until a valid key is guessed, or an exploitable weakness is found.
6. Upon successful authentication, the attacker gains unauthorized access to the GoAnywhere MFT server.
7. The attacker can then upload/download arbitrary files, execute commands, and potentially move laterally within the network.
8. The final objective is to exfiltrate sensitive data or establish a persistent foothold within the target environment.

Impact

Successful exploitation of CVE-2025-14362 can lead to unauthorized access to sensitive data managed by the GoAnywhere MFT server. This could include financial records, customer data, intellectual property, and other confidential information. The number of victims is dependent on the exposure of vulnerable GoAnywhere MFT servers. Sectors commonly using MFT solutions, such as finance, healthcare, and government, are at increased risk. The impact of a successful attack can range from data breaches and financial loss to reputational damage and legal liabilities.

Recommendation

• Upgrade Fortra GoAnywhere MFT to version 7.10.0 or later to patch CVE-2025-14362 (reference: Overview).
• Implement rate limiting on SSH authentication attempts at the network or host level to mitigate brute-force attacks, even after patching (reference: Attack Chain).
• Monitor SFTP logs for excessive failed authentication attempts originating from the same source IP address using a Sigma rule similar to the one provided below (reference: Rules).

]]>highadvisorygoanywheremftbruteforcesshhttps://feed.craftedsignal.io/briefs/2024-01-rdp-bruteforce/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-rdp-bruteforce/This detection identifies potential RDP brute force attacks by monitoring network traffic for RDP application activity by detecting source IPs that have made more than 10 connection attempts to the same RDP port on a host within a one-hour window.This analytic identifies potential Remote Desktop Protocol (RDP) brute force attacks by monitoring network traffic for RDP application activity. It detects potential RDP brute force attacks by identifying source IPs that have made more than 10 connection attempts to the same RDP port on a host within a one-hour window. The results are presented in a table that includes the source and destination IPs, destination port, number of attempts, and the times of the first and last connection attempts, helping to prioritize IPs based on the intensity of activity. This activity can lead to account compromise and potential ransomware deployment.

Attack Chain

1. The attacker scans the network to identify systems with open RDP ports (TCP 3389).
2. The attacker initiates multiple RDP connection attempts to a target host, using a list of common usernames and passwords or compromised credentials.
3. The firewall logs each connection attempt, recording the source and destination IPs, ports, and timestamps.
4. Sysmon logs the network connections with Event ID 3.
5. The attacker continues to attempt connections, typically exceeding 10 attempts within an hour.
6. Upon successful authentication, the attacker gains unauthorized access to the target system.
7. The attacker may then install malware, move laterally, or exfiltrate sensitive data.
8. The attacker might deploy ransomware like SamSam or Ryuk, as referenced in external reports.

Impact

Successful RDP brute force attacks can lead to unauthorized access to systems, data breaches, malware infections, and ransomware deployment. Compromised systems can be used as a staging point for further attacks within the network. The references indicate that ransomware attacks have been delivered using RDP brute-force techniques.

Recommendation

• Ensure network traffic data is populating the Network_Traffic data model to enable the provided search query.
• Deploy the Sigma rule RDP Bruteforce via Network Traffic to detect brute force attempts based on network connection patterns.
• Adjust the count and duration thresholds in the detection query to tune the sensitivity for your environment.
• Investigate source IPs identified by the detection rule as potential attackers.
• Monitor Sysmon EventID 3 for network connections to detect RDP brute-force attempts.
• Review the referenced Zscaler and ReliaQuest articles for additional context and mitigation strategies.

]]>highadvisoryrdpbruteforcecredential-accesswindowsnetwork