Summary: Cisco has warned about a surge in brute-force attacks targeting various devices, including VPN services, web application authentication interfaces, and SSH services, since March 18, 2024.
Threat Actor: Unknown | Brute-Force Attacks
Victim: Various organizations | Cisco
Key Point :
- The attacks have been observed targeting devices such as Cisco Secure Firewall VPN, Checkpoint VPN, Fortinet VPN, SonicWall VPN, RD Web Services, Mikrotik, Draytek, and Ubiquiti.
- The attacks use both generic and valid usernames for specific organizations and are originating from TOR exit nodes and other anonymizing tunnels and proxies.
- Successful attacks could lead to unauthorized network access, account lockouts, or denial-of-service conditions.
- The source IP addresses for the attacks are commonly associated with proxy services like TOR, VPN Gate, IPIDEA Proxy, BigMama Proxy, Space Proxies, Nexus Proxy, and Proxy Rack.
- Cisco has provided a list of indicators associated with the attacks, including IP addresses and usernames/passwords.
- This surge in brute-force attacks follows warnings from Cisco about password spray attacks targeting remote access VPN services and reports of threat actors exploiting security flaws in routers to deliver DDoS botnet malware.
Cisco is warning about a global surge in brute-force attacks targeting various devices, including Virtual Private Network (VPN) services, web application authentication interfaces, and SSH services, since at least March 18, 2024.
“These attacks all appear to be originating from TOR exit nodes and a range of other anonymizing tunnels and proxies,” Cisco Talos said.
Successful attacks could pave the way for unauthorized network access, account lockouts, or denial-of-service conditions, the cybersecurity company added.
The attacks, said to be broad and opportunistic, have been observed targeting the below devices –
- Cisco Secure Firewall VPN
- Checkpoint VPN
- Fortinet VPN
- SonicWall VPN
- RD Web Services
- Mikrotik
- Draytek
- Ubiquiti
Cisco Talos described the brute-forcing attempts as using both generic and valid usernames for specific organizations, with the attacks indiscriminately targeting a wide range of sectors across geographies.
The source IP addresses for the traffic are commonly associated with proxy services. This includes TOR, VPN Gate, IPIDEA Proxy, BigMama Proxy, Space Proxies, Nexus Proxy, and Proxy Rack, among others.
The complete list of indicators associated with the activity, such as the IP addresses and the usernames/passwords, can be accessed here.
The development comes as the networking equipment major warned of password spray attacks targeting remote access VPN services as part of what it said are “reconnaissance efforts.”
It also follows a report from Fortinet FortiGuard Labs that threat actors are continuing to exploit a now-patched security flaw impacting TP-Link Archer AX21 routers (CVE-2023-1389, CVSS score: 8.8) to deliver DDoS botnet malware families like AGoent, Condi, Gafgyt, Mirai, Miori, and MooBot.
“As usual, botnets relentlessly target IoT vulnerabilities, continuously attempting to exploit them,” security researchers Cara Lin and Vincent Li said.
“Users should be vigilant against DDoS botnets and promptly apply patches to safeguard their network environments from infection, preventing them from becoming bots for malicious threat actors.”
Source: https://thehackernews.com/2024/04/cisco-warns-of-global-surge-in-brute.html
“An interesting youtube video that may be related to the article above”