Ukrainian Network FDN3 Conducts Widespread Brute-Force Attacks on SSL VPN and RDP Devices

Date: Sep 02, 2025
Category: Cyber Attack / Botnet

Cybersecurity experts have identified a Ukrainian IP network engaging in extensive brute-force and password spraying campaigns against SSL VPN and RDP devices between June and July 2025. The operations are traced back to the Ukraine-based autonomous system FDN3 (AS211736), according to French cybersecurity firm Intrinsec. “We have high confidence that FDN3 is part of a larger malicious infrastructure that includes two other Ukrainian networks, VAIZ-AS (AS61432) and ERISHENNYA-ASN (AS210950), as well as a Seychelles-based system, TK-NET (AS210848),” the report stated. “All of these were allocated in August 2021 and frequently exchange IPv4 prefixes to bypass blocklisting and sustain their abusive operations.” AS61432 currently announces a single prefix, 185.156.72[.]0/24, while AS210950 has two prefixes: 45.143.201[.]0/24 and 185.193.89[.]0/24. These autonomous systems were allocated in May…

Ukrainian Network FDN3 Targets SSL VPN and RDP Devices with Coordinated Brute-Force Attacks

On September 2, 2025, cybersecurity experts reported significant brute-force and password spraying campaigns linked to a Ukrainian IP network known as FDN3 (AS211736). These attacks were specifically aimed at SSL VPN and Remote Desktop Protocol (RDP) devices during a concentrated period from June to July 2025. The network’s origins trace back to an autonomous system in Ukraine, highlighting a concerning trend in the tactics employed by cyber adversaries in the region.

According to findings released by the French cybersecurity firm Intrinsec, there is a strong indication that FDN3 is part of a larger infrastructure that includes two additional Ukrainian networks, VAIZ-AS (AS61432) and ERISHENNYA-ASN (AS210950), as well as a Seychelles-based system known as TK-NET (AS210848). All components of this malicious infrastructure were allocated in August 2021, and they have been found to frequently exchange IPv4 prefixes among themselves. This collaboration allows them to circumvent blocklisting measures and maintain their illicit activities.

Specifically, AS61432 currently broadcasts a single prefix, 185.156.72[.]0/24, while AS210950 operates two prefixes, 45.143.201[.]0/24 and 185.193.89[.]0/24. The presence of these networks raises alarm over the potential scale of coordinated cyber operations that could impact numerous organizations relying on secure communication channels.

The primary targets of these attacks are SSL VPNs and RDP devices, which are critical for remote access, particularly in an increasingly digital work environment. Given the rise in remote work, attackers often focus on these services due to their importance in business continuity. If successful, such brute-force attacks can lead to unauthorized access to sensitive data and critical business systems.

From a tactical perspective, the activities associated with FDN3 align with several adversary techniques outlined in the MITRE ATT&CK framework. Initial access could be achieved through password spraying, utilizing compromised credentials to infiltrate systems. Furthermore, persistence is a key concern, as attackers may establish backdoors that allow continued access even after initial detection. Privilege escalation techniques could also come into play, enabling attackers to exploit small entry points to gain broader access within an organization’s infrastructure.

As businesses navigate the complexities of cybersecurity threats, the case of FDN3 emphasizes the need for robust security protocols and diligent monitoring of remote access technologies. Organizations must remain vigilant, implementing strong authentication mechanisms and staying informed about potential risks associated with VPN and RDP services. With the increasing sophistication of cyber-attacks, understanding the tactics employed by adversaries can empower business owners to adopt proactive measures against potential breaches.

The implications of this coordinated attack are extensive, highlighting the vulnerabilities inherent in remote access solutions. As the cyber landscape continues to evolve, collaboration between cybersecurity professionals and informed decision-making by business leaders will be crucial in thwarting such threats.

Source link

Related Posts

Researchers Raise Alarm Over MystRodX Backdoor Utilizing DNS and ICMP Triggers for Covert Control

Sep 02, 2025 – Cyber Espionage / Network Security

Cybersecurity experts have revealed a new stealthy backdoor named MystRodX, designed to capture sensitive information from compromised systems. According to a report from QiAnXin XLab, “MystRodX is a typical backdoor developed in C++, featuring capabilities such as file management, port forwarding, reverse shell, and socket management.” The report highlights that MystRodX distinguishes itself from standard backdoors through its exceptional stealth and versatility. Also referred to as ChronosRAT, this malware was initially documented by Palo Alto Networks Unit 42 last month, linked to a threat activity cluster named CL-STA-0969, which shows connections to a China-based cyber espionage group called Liminal Panda. Its stealthy nature is enhanced by multiple layers of encryption that obscure both the source code and payloads, while its flexibility allows it to dynamically activate different functionalities based on configuration settings, including the choice between TCP or HTTP for network communication.

Lazarus Group Enhances Malware Toolkit with PondRAT, ThemeForestRAT, and RemotePE

Sep 02, 2025
Malware / Threat Intelligence

The North Korea-linked threat actor, Lazarus Group, has been linked to a social engineering campaign that distributes three new cross-platform malware variants: PondRAT, ThemeForestRAT, and RemotePE. This attack, observed by NCC Group’s Fox-IT in 2024, specifically targeted an organization within the decentralized finance (DeFi) sector, resulting in the breach of an employee’s system.

“As the actor accessed the internal network, they utilized various RATs along with other tools to collect credentials and establish proxy connections,” noted Yun Zheng Hu and Mick Koomen. “Subsequently, the attacker transitioned to a more stealthy RAT, indicating a potential progression in their attack strategy.”

The attack began with the threat actor impersonating a current employee of a trading firm via Telegram and using counterfeit websites resembling Calendly and Picktime to arrange a meeting with the target. Although the initial steps were…

Salesloft Shuts Down Drift Temporarily Following OAuth Token Theft Affecting Numerous Organizations

 
Sep 03, 2025
Data Breach / Threat Intelligence

Salesloft announced on Tuesday the temporary suspension of Drift, slated to occur “in the very near future,” due to an extensive supply chain attack impacting multiple companies. This breach has led to the widespread theft of authentication tokens linked to the marketing software-as-a-service platform. The company stated, “This action will allow us to thoroughly review the application and enhance its resilience and security before restoring full functionality.” Consequently, the Drift chatbot on customer websites will be offline, and Drift itself will not be accessible. Salesloft emphasized its commitment to preserving the integrity and security of its systems and customers’ data, collaborating with cybersecurity partners Mandiant and Coalition as part of their incident response strategy. This announcement follows a disclosure from Google Threat Intelligence Group (GTIG) and Mandiant regarding the ongoing threats.

CISA Includes TP-Link and WhatsApp Vulnerabilities in KEV Catalog Due to Ongoing Exploitation

September 3, 2025
Vulnerability / Mobile Security

On Tuesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a critical vulnerability affecting TP-Link TL-WA855RE Wi-Fi Extender products to its Known Exploited Vulnerabilities (KEV) catalog, citing signs of active exploitation. The vulnerability, identified as CVE-2020-24363 (CVSS score: 8.8), involves a missing authentication flaw that can be exploited to gain elevated access to the device. CISA noted that “this vulnerability could enable an unauthenticated attacker on the same network to send a TDDP_RESET POST request for a factory reset and reboot,” allowing them to establish incorrect access control by setting a new administrative password. According to malwrforensics, the issue has been addressed in firmware version TL-WA855RE(EU)_V5_200731. However, it’s important to mention that this product has reached end-of-life (EoL) status, making future patches or updates unlikely. Users of the Wi-Fi range extender are therefore advised to take caution.