Global Brute-Force Attacks Spike: Cisco Issues Warning

by ·

International cybersecurity is under threat following a discovery by Cisco Talos experts of a large-scale credential stuffing campaign targeting VPN and SSH services of companies including Cisco, CheckPoint, Fortinet, SonicWall, and Ubiquiti.

The campaign employs a brute force method, automatically trying various combinations of usernames and passwords to gain unauthorized access to devices and internal networks. The attackers use a mixed set of valid and generic employee logins from specific organizations.

Volt Typhoon group

According to researchers, the attacks commenced on March 18, 2024. They originate from TOR exit nodes and various anonymizing tools and proxies, which help participants avoid detection.

“Depending on the target environment, successful attacks of this type may lead to unauthorized network access, account lockouts, or denial-of-service conditions. The traffic related to these attacks has increased with time and is likely to continue to rise,” warns Cisco Talos.

The services used to conduct the attacks include TOR, VPN Gate, IPIDEA Proxy, BigMama Proxy, Space Proxies, Nexus Proxy, and Proxy Rack.

The list of actively targeted services includes:

  • Cisco Secure Firewall VPN;
  • Checkpoint VPN;
  • Fortinet VPN;
  • SonicWall VPN;
  • RD Web Services;
  • MikroTik;
  • Draytek;
  • Ubiquiti.

The attacks are not concentrated in any specific industry or region, indicating a strategy of random, opportunistic attacks.

The Talos team has published on GitHub a complete list of Indicators of Compromise (IoCs), including the IP addresses of the attackers and a list of usernames and passwords used in the brute force attacks.

In late March 2024, Cisco had already warned of a wave of attacks specifically targeting remote VPN services on Cisco Secure Firewall devices. These attacks are particularly effective against weak password policies, as attackers use a small set of frequently occurring passwords across multiple usernames.

The connection between past attacks and the current campaign has not yet been confirmed, but experts are striving to verify or refute the link between this malicious activity as swiftly as possible.