Title: Global Networks Facing Large-Scale Credential Cyberattacks on VPN and SSH Services
In recent days, a surge of large-scale credential brute-force attacks has been targeting devices from global tech giants like Cisco, CheckPoint, Fortinet, SonicWall, and Ubiquiti, specifically aiming at their VPN and SSH services.
Credential brute-force attacks involve cybercriminals attempting to log in to accounts or devices using a multitude of usernames and passwords until the correct combination is discovered. Once armed with the correct credentials, threat actors can hijack devices or gain unauthorized access to internal networks.
According to Cisco Talos, these new brute-force attack activities have been identified as utilizing a mix of organization-specific and commonly used employee usernames. Researchers first noticed these attacks as far back as March 18 this year, all originating from TOR exit nodes and various other anonymous tools and proxy servers. Threat actors exploit these tools and proxy servers to evade detection.
Cisco Talos’ report issues a warning, indicating that depending on the target environment, such attacks could result in unauthorized network access, account lockouts, or denial of service situations. The traffic associated with these attacks is increasing over time and may continue to rise.
Some of the services employed in these attacks include TOR, VPN Gate, IPIDEA Proxy, BigMama Proxy, Space Proxy, Nexus Proxy, and Proxy Rack. Cisco researchers have identified eight primary targets of this malicious activity.
The campaign does not seem to be specifically targeting any particular industry or region, suggesting a broader strategy of random, opportunistic attacks.
On GitHub, the Talos team shared a comprehensive list of Indicators of Compromise (IoC) related to this activity, containing attacker IP addresses (for inclusion in blocklists) and the lists of usernames and passwords used in the brute-force attacks.
In late March, Cisco issued a warning about a wave of password-spraying attacks affecting Remote Access VPN (RAVPN) services configured on Cisco security firewall devices. These attacks prove effective against weak passwords, with many usernames being linked to a small set of commonly used passwords, rather than running through extensive dictionaries.
Security researcher Aaron Martin attributes these attacks to a malicious botnet named “Brutus” based on observed attack patterns and targets.
Cisco’s recommendations for mitigating such attacks include revising password policies, implementing multi-factor authentication, and monitoring network activities closely.
The relationship between these recent attacks and previous incidents is yet to be verified, and Cisco has not responded to inquiries about any potential connection between the two events.
References:
1. Cisco Warns of Large-Scale Brute-Force Attacks Against VPN Services
2. Cisco Warns of Password-Spraying Attacks Targeting VPN Services