Cisco warns about a large-scale credential brute-forcing campaign targeting VPN and SSH services on Cisco, CheckPoint, Fortinet, SonicWall, and Ubiquiti devices worldwide.
A brute force attack is the process of attempting to log into an account or device using many usernames and passwords until the correct combination is found. Once they have access to the correct credentials, the threat actors can then use them to hijack a device or gain access to the internal network.
According to Cisco Talos, this new brute force campaign uses a mix of valid and generic employee usernames related to specific organizations.
The researchers say the attacks started on March 18, 2024, while all attacks originate from TOR exit nodes and various other anonymization tools and proxies, which the threat actors use to evade blocks.
"Depending on the target environment, successful attacks of this type may lead to unauthorized network access, account lockouts, or denial-of-service conditions," warns the Cisco Talos report.
"The traffic related to these attacks has increased with time and is likely to continue to rise."
Some services used to conduct the attacks include TOR, VPN Gate, IPIDEA Proxy, BigMama Proxy, Space Proxies, Nexus Proxy, and Proxy Rack.
Cisco's researchers report that the following services are being actively targeted by this campaign:
- Cisco Secure Firewall VPN
- Checkpoint VPN
- Fortinet VPN
- SonicWall VPN
- RD Web Services
- Miktrotik
- Draytek
- Ubiquiti
The malicious activity lacks a specific focus on particular industries or regions, suggesting a broader strategy of random, opportunistic attacks.
The Talos team has shared a complete list of indicators of compromise (IoCs) for this activity on GitHub, including the attackers' IP addresses for inclusion in blocklists and the list of usernames and passwords used in the brute force attacks.
Possible links to earlier attacks
In late March 2024, Cisco warned about a wave of password-spraying attacks targeting Remote Access VPN (RAVPN) services configured on Cisco Secure Firewall devices.
Password spraying attacks are more effective against weak password policies, targeting many usernames with a small set of commonly used passwords instead of large-dictionary brute-forcing.
Security researcher Aaron Martin attributed these attacks to a malware botnet called 'Brutus,' based on the observed attack patterns and targeting scope.
It remains unverified whether the attacks Cisco is warning about today are the continuation of those seen previously.
BleepingComputer contacted Cisco to clarify if the two activities are connected, but a comment wasn't immediately available.
Comments
Wh1t3Ryn0 - 1 week ago
Probably nothing to do with the AT&T breach of over 51 million accounts...right?
crunchytaco - 6 days ago
This has been going on for over a year. I first spotted 2/2023 I believe. I've seen a mix of default account names, common first names, data breaches of large companies in the oil and gas sector, and data breaches of past employees within my org.