Cisco has issued a warning regarding a notable increase in brute-force attacks targeting a variety of devices since March 18, 2024. These attacks specifically affect Virtual Private Network (VPN) services, web application authentication interfaces, and SSH services. Cisco Talos reports that the origins of these attacks can largely be traced back to TOR exit nodes, along with various anonymizing tunnels and proxies.
The potential consequences of these attacks are significant. Organizations may experience unauthorized access to their networks, account lockouts, or even denial-of-service incidents, placing critical services at risk. Notably, the attacks have demonstrated a broad, opportunistic nature, affecting diverse sectors across multiple regions.
The targeted devices include well-known brands such as Cisco Secure Firewall, Check Point, Fortinet, and SonicWall VPNs, along with RD Web Services and products from MikroTik, Draytek, and Ubiquiti. Cisco Talos noted that the brute-force attempts utilize both generic and organization-specific usernames, effectively casting a wide net across vulnerable targets.
The source IP addresses associated with these attacks are frequently linked to notable proxy services including TOR, VPN Gate, and IPIDEA Proxy, suggesting a focused effort to obscure the attackers’ true identities. This tactic aligns with the MITRE ATT&CK framework, which categorizes these actions under initial access through brute-force credential dumping, indicating a calculated strategy to gain footholds in various environments.
For security professionals, understanding the implications of this surge is critical. Cisco has also highlighted ongoing password spray attacks targeting remote access VPN services, which are part of wider reconnaissance efforts by threat actors. Furthermore, a report from Fortinet FortiGuard Labs emphasizes that attackers are exploiting a previously patched vulnerability in TP-Link routers to deploy DDoS botnet malware like Mirai and others, underscoring the persistent nature of botnet strategies as they exploit Internet of Things (IoT) vulnerabilities.
Security researchers advocate for vigilance among organizations, urging prompt adoption of patches and protective measures to guard against these evolving threats. The MITRE framework identifies relevant adversary tactics such as privilege escalation and persistence tactics, indicating that attackers may seek long-term access to compromised systems.
For those interested, a detailed list of indicators linked to these brute-force activities, including specific IP addresses and compromised credentials, is available for review. Timely action is essential in safeguarding network environments against these increasingly sophisticated attacks.
