Skip Navigation

April 16, 2024 |

Brute-force campaign targeting VPN services

Loading table of contents...

Cisco is sounding the alarm on an ongoing brute-force campaign targeting VPN and SSH services on CheckPoint, Fortinet, SonicWall, Ubiquiti, and Cisco devices deployed worldwide.

The campaign, which began on March 18, 2024, attempts to submit a mix of valid and generic employee usernames and passwords until the correct combination is found. If the attack is successful, the threat actor can use its newly acquired access to the device to change configurations, access data, and conduct further attacks on internal resources.

To help evade detection, the attacks are launched from IP addresses associated with The Onion Router (TOR), commercial VPNs, and proxy services such as IPIDEA Proxy, BigMama Proxy, Space Proxies, Nexus, and Proxyrack.

Source: Bleeping Computer

Analysis

Edge devices such as firewalls and gateways are popular targets for threat actors seeking initial access to targets of interest. Control of these devices could allow threat actors to gain access to more sensitive internal systems and accounts, or as a platform to launch adversary-in-the-middle attacks.

Brute-force and password-spraying attacks are relatively frequent on internet-exposed devices. Most threat actors use automation to hit as many targets as possible with frequently used passwords and other credentials leaked online.

Administrators must configure these devices with this threat in mind and enable any necessary security controls within the device to prevent these types of attacks from being successful.

Mitigation

Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for threats to VPN and SSH services. This research contributes to the timely deployment of signatures into Field Effect’s MDR to detect and mitigate these threats.

Field Effect MDR users are automatically notified when suspicious login attempts from TOR, VPN, or Proxy IPs are detected and are encouraged to review these AROs as quickly as possible via the Covalence portal.

The threat posed by brute-force and password-spraying attacks can be minimized by implementing the following security controls, amongst others:

  • Enable multi-factor authentication (MFA);
  • Enforce strong password requirements and periodic rotation;
  • Lock accounts after several failed login attempts; and
  • Implement a solution, such as Field Effect MDR, that detects and prevents logins from suspicious IPs, VPNs, and proxy services.

Related Articles