Attackers are upping their game against the brands of Firewall/VPN all-in-one devices prominently used by smaller businesses. They aren't necessary exploiting flaws in the devices with these attacks, but weak passwords and lack of MFA. Of course, they are exploiting those other flaws wherever they can, as well.
In IT and cybersecurity, we love automation. It allows us to do so much more with what little we have. Attackers are no different. They want to get the most return on the least investment. Did you catch that business concept in there? Attackers are looking for ROI, just like you. Attackers operate like businesses in many cases.
There are a couple of fixes here that should greatly reduce your risk: stronger passwords and multi-factor authentication.
Unfortunately, MFA is not always easy on these devices. I recommend using the device's native platform first, if possible. As an example, Watchguard uses a service called AuthPoint to provide MFA. If something similar is not available from your vendor, look into a third-party service such as Duo. The downside is that third-party services often require you to run a separate server to act as a broker. This just adds another possible point of failure in your system.
Stronger passwords are simultaneously easier and more difficult. This mostly relies on the user to be a willing participant. It's easy for users to create and remember long passphrases of 20+ characters and those are the hardest for attackers to crack. What's not easy is forcing the users to do that if they aren't willing. Technical password requirements that can be enforced in these systems is usually woefully inadequate. Attackers also have password dictionaries full of passwords that meet these requirements but have been cracked anyway.
This leads us to another protective measure: limiting your attack surface by only allowing VPN access to users who actually need it. Don't grant access across the board, "just in case." If a user truly needs it, grant it. Otherwise, don't. And if you don't need a VPN at all, disable it. You may find that you needed it in the past, but are cloud-based now and no longer need it. Don't leave it there as a crutch.
If you are an active user of your VPN, you may also consider migrating to a more modern solution such as SASE (Secure Access Service Edge) or ZTNA (Zero Trust Network Access). These are two VPN-like services that have much stronger authentication and are always on, reducing the VPN hassle for your users while increasing security. A win-win.
If these solutions don't work for you, let us know. We'd be happy to help you shore up your remote access security or redesign it altogether.
