Multiple VPN, SSH services targeted in mass brute-force attacks
Cisco has observed a significant surge in brute-force attacks targeting VPN services, web application authentication, and SSH services. These attacks, reported by Cisco's Talos unit, have been escalating since at least March 18, 2024.
What's happening?
Threat actors are launching mass brute-force attacks, using both generic and valid usernames. These attacks are not limited to any specific region or industry; they are global and indiscriminate. The attacks originate from anonymising sources such as Tor exit nodes and various proxy services including VPN Gate, IPIDEA Proxy, BigMama Proxy, Space Proxies, Nexus Proxy, and Proxy Rack. Other similar services are likely being exploited as well.
Impact of the attacks
The consequences of these attacks can be severe. Successful brute-force attempts can lead to unauthorised access to networks, account lockouts, and denial-of-service (DoS) conditions. Among the affected services are:
- Cisco Secure Firewall VPN
- Checkpoint VPN
- Fortinet VPN
- SonicWall VPN
- RD Web Services
- Mikrotik
- Draytek
- Ubiquiti
Cisco has noted a significant increase in traffic related to these attacks, indicating that the activity is likely to continue and even escalate.
What is Cisco doing?
To combat these attacks, Cisco has added the identified source IP addresses to its block list. However, they caution that these IP addresses are likely to change frequently. Cisco has also published indicators of compromise (IoCs) that include the IP addresses, usernames, and passwords associated with these attacks. These IoCs are available on GitHub for those who need to update their security measures.
Mitigation and prevention
Given the variety of VPN services being targeted, the necessary mitigations will vary. Organisations are advised to:
- Regularly update and patch their systems.
- Implement multi-factor authentication (MFA) wherever possible.
- Monitor for unusual login attempts and failed access attempts.
- Use robust password policies and educate users about the importance of secure passwords.
In summary, maintaining vigilance and being proactive in establishing security measures is essential as the threat landscape changes. To reduce the dangers that these brute-force assaults offer, organisations need to make sure their defences are current.