Cisco warns of large-scale brute-force attacks against VPN services

Cisco warns about a large-scale credential brute-forcing campaign targeting VPN and SSH services on Cisco, CheckPoint, Fortinet, SonicWall, and Ubiquiti devices worldwide.

A brute force attack is the process of attempting to log into an account or device using many usernames and passwords until the correct combination is found. Once they have access to the correct credentials, the threat actors can then use them to hijack a device or gain access to the internal network.

According to Cisco Talos, this new brute force campaign uses a mix of valid and generic employee usernames related to specific organizations.

The researchers say the attacks started on March 18, 2024, while all attacks originate from TOR exit nodes and various other anonymization tools and proxies, which the threat actors use to evade blocks.

"Depending on the target environment, successful attacks of this type may lead to unauthorized network access, account lockouts, or denial-of-service conditions," warns the Cisco Talos report.

"The traffic related to these attacks has increased with time and is likely to continue to rise."

Some services used to conduct the attacks include TOR, VPN Gate, IPIDEA Proxy, BigMama Proxy, Space Proxies, Nexus Proxy, and Proxy Rack.

Cisco's researchers report that the following services are being actively targeted by this campaign:

The malicious activity lacks a specific focus on particular industries or regions, suggesting a broader strategy of random, opportunistic attacks.

The Talos team has shared a complete list of indicators of compromise (IoCs) for this activity on GitHub, including the attackers' IP addresses for inclusion in blocklists and the list of usernames and passwords used in the brute force attacks.

Possible links to earlier attacks

In late March 2024, Cisco warned about a wave of password-spraying attacks targeting Remote Access VPN (RAVPN) services configured on Cisco Secure Firewall devices.

Password spraying attacks are more effective against weak password policies, targeting many usernames with a small set of commonly used passwords instead of large-dictionary brute-forcing.

Security researcher Aaron Martin attributed these attacks to a malware botnet called 'Brutus,' based on the observed attack patterns and targeting scope.

It remains unverified whether the attacks Cisco is warning about today are the continuation of those seen previously.

BleepingComputer contacted Cisco to clarify if the two activities are connected, but a comment wasn't immediately available.