Cisco: Large-Scale Brute-Forcing Campaign Hits VPN and SSH Services Worldwide
Cisco Talos Issues Warning on Widespread Brute-Force Campaign Targeting VPN and SSH Services
A sweeping brute-force campaign targeting VPN and SSH services worldwide has been detected by Cisco Talos, raising concerns about potential unauthorized network access and security breaches.
The campaign, which commenced on March 18, 2024, leverages a combination of valid and generic employee usernames associated with specific organizations. Attackers utilize TOR exit nodes and various anonymization tools and proxies to evade detection and bypass blocks.
Cisco Talos warns that successful attacks of this nature could lead to unauthorized network access, account lockouts, or denial-of-service conditions. The volume of related attack traffic has been increasing over time, indicating ongoing and escalating threats.
See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses
Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.
The attackers’ arsenal includes a range of services such as TOR, VPN Gate, IPIDEA Proxy, BigMama Proxy, Space Proxies, Nexus Proxy, and Proxy Rack.
Specific services targeted by this campaign include:
- Cisco Secure Firewall VPN
- CheckPoint VPN
- Fortinet VPN
- SonicWall VPN
- RD Web Services
- Miktrotik
- Draytek
- Ubiquiti devices
This broad-spectrum attack lacks a specific industry or regional focus, suggesting a random and opportunistic strategy to compromise vulnerable devices.
Cisco’s Talos team has shared a comprehensive list of indicators of compromise (IoCs) on GitHub, including attackers’ IP addresses for inclusion in blocklists and the list of usernames and passwords used in the brute-force attacks.
Trending: 10 Misconceptions about Hacking
Trending: Offensive Security Tool: WAF Bypass