Cisco Talos researchers warn of large-scale credential brute-force attacks targeting multiple targets, including Virtual Private Network (VPN) services, web application authentication interfaces and SSH services since at least March 18, 2024.
Below is a list of known affected services:
- Cisco Secure Firewall VPN
- Checkpoint VPN
- Fortinet VPN
- SonicWall VPN
- RD Web Services
- Miktrotik
- Draytek
- Ubiquiti
Successful brute-force attacks can result in unauthorized network access, account lockouts, or denial-of-service (DoS) conditions.
These attacks originate from TOR exit nodes and anonymizing tunnels and proxies, such as:
- VPN Gate
- IPIDEA Proxy
- BigMama Proxy
- Space Proxies
- Nexus Proxy
- Proxy Rack
“The brute-forcing attempts use generic usernames and valid usernames for specific organizations. The targeting of these attacks appears to be indiscriminate and not directed at a particular region or industry.” reads the advisory published by Cisco Talos.
The malicious activity lacks a specific focus on particular industries or regions, suggesting a broader strategy of random, opportunistic attacks.
The advisory published by Talos includes a list of
indicators of compromise (IoCs) for this campaign.
securityaffairs.com
