❌

Normal view

There are new articles available, click to refresh the page.
Before yesterdayVulnerabily Research

Large-scale brute-force activity targeting VPNs, SSH services with commonly used login credentials

βœ‡Cisco Talos
By: Cisco Talos
16 April 2024 at 12:00
Large-scale brute-force activity targeting VPNs, SSH services with commonly used login credentials

Cisco Talos would like to acknowledge Brandon White of Cisco Talos and Phillip Schafer, Mike Moran, and Becca Lynch of the Duo Security Research team for their research that led to the identification of these attacks.

Cisco Talos is actively monitoring a global increase in brute-force attacks against a variety of targets, including Virtual Private Network (VPN) services, web application authentication interfaces and SSH services since at least March 18, 2024. Β 

These attacks all appear to be originating from TOR exit nodes and a range of other anonymizing tunnels and proxies. Β 

Depending on the target environment, successful attacks of this type may lead to unauthorized network access, account lockouts, or denial-of-service conditions. The traffic related to these attacks has increased with time and is likely to continue to rise. Known affected services are listed below. However, additional services may be impacted by these attacks.Β 

  • Cisco Secure Firewall VPNΒ 
  • Checkpoint VPNΒ Β 
  • Fortinet VPNΒ Β 
  • SonicWall VPNΒ Β 
  • RD Web ServicesΒ 
  • MiktrotikΒ 
  • DraytekΒ 
  • UbiquitiΒ 

The brute-forcing attempts use generic usernames and valid usernames for specific organizations. The targeting of these attacks appears to be indiscriminate and not directed at a particular region or industry. The source IP addresses for this traffic are commonly associated with proxy services, which include, but are not limited to:Β Β 

  • TORΒ Β Β 
  • VPN GateΒ Β 
  • IPIDEA ProxyΒ Β 
  • BigMama ProxyΒ Β 
  • Space ProxiesΒ Β 
  • Nexus ProxyΒ Β 
  • Proxy RackΒ 

The list provided above is non-exhaustive, as additional services may be utilized by threat actors.Β Β 

Due to the significant increase and high volume of traffic, we have added the known associated IP addresses to our blocklist. It is important to note that the source IP addresses for this traffic are likely to change.

GuidanceΒ 

As these attacks target a variety of VPN services, mitigations will vary depending on the affected service. For Cisco remote access VPN services, guidance and recommendation can be found in a recent Cisco support blog:Β Β 

Best Practices Against Password Spray Attacks Impacting Remote Access VPN ServicesΒ 

IOCsΒ 

We are including the usernames and passwords used in these attacks in the IOCs for awareness. IP addresses and credentials associated with these attacks can be found in our GitHub repository here.Β 

❌
❌