Cisco security specialists are warning of brute-force attacks on VPN and SSH applications for their own devices, as well as those from CheckPoint, Fortinet, SonicWall and Ubiquiti. The attacks focus on stealing login credentials and may have links to previous recent attack attempts.
Cisco Talos security specialists warn users of various VPN and SSH applications of possible large-scale brute-force attacks. Through these attacks involving the ‘trying out'” of usernames and passwords, the cybercriminals primarily aim to extract login credentials to gain access to devices and the underlying systems
In the campaign now identified, the cybercriminals use a combination of valid and generic usernames, targeting specific companies. It is unknown which companies or organizations these are or which cybercriminals are behind the attacks.
Attack on multi-vendor services
Cisco Talos does indicate in its warning that the attackers have been using several specific services to carry out their malicious activities since March 18 of this year. These include services such as TOR, VPN Gate, IPIDEA Proxy, BigMama Proxy, Space Proxies, Nexus Proxy and Proxy Rack.
The attackers are also targeting specific vendor services. In addition to their own Cisco Secure Firewall VPN, these include Checkpoint VPN, Fortinet VPN, SonicWall VPN, RD Web Services, and devices from Mikrotik, Draytek, and Ubiquiti. Security experts emphatically warn that services from other vendors not currently known could also be abused.
Cisco Talos has published a list of indicators on GitHub, including IP addresses that have been abused.
Link to previous attacks
The new brute force attacks may be linked to attacks discovered in March this year. Security experts issued a warning about a wave of so-called password-spraying attacks on specifically Remote Access VPN (RAVPN) services configured on Cisco Secure Firewall devices.
These attacks targeted many usernames with a limited set of commonly used passwords rather than a large-scale brute-force attack. Based on the attack patterns and targets, security researchers have linked this attack to the Brutus malware botnet.
Also read: Google Cloud Run abused for large-scale attacks on financial institutions