A report from Cisco reveals a global credential forcing campaign targeting VPN and SSH services.
Cisco Talos security specialists warn users of various VPN and SSH applications about possible large-scale brute force attacks. Through these attacks, which involve “trying” usernames and passwords, cybercriminals primarily seek to extract login credentials in order to gain access to devices and underlying systems.
In the campaign identified by researchers on March 18, 2024, cybercriminals use a combination of valid and generic usernames, targeting specific companies. While a few names such as Cisco, CheckPoint, Fortinet, SonicWall and Ubiquiti are mentioned, it is unclear how many other companies or organizations are also affected, or which cybercriminals are behind these attacks.
The rise of brute force attacks
The campaign discovered by Cisco Talos is not an isolated threat, but a symptom of a persistent vulnerability that businesses are struggling to contain. VPN and SSH services, essential for the confidentiality and security of online exchanges, have become the preferred targets of cybercriminals. Using combinations of credentials, attackers seek to gain unauthorized access to internal networks, potentially causing account lockouts and denials of service. The steady rise in malicious traffic indicates an alarming trend, with attacks becoming more sophisticated and difficult to detect.
The services used to orchestrate these attacks are diverse and include anonymization tools such as TOR, VPN Gate, IPIDEA Proxy, BigMama Proxy, Space Proxies, Nexus Proxy, and Proxy Rack. These platforms allow cybercriminals to hide their identity and location, making it more difficult for security teams to spot and block them. The list of targeted services is long and varied, ranging from Cisco secure firewall VPNs to research-in-development web services to Ubiquiti and Draytek devices.
Programs capable of targeting thousands of accounts simultaneously
These attacks mainly target VPNs, SSH services and web application authentication interfaces. To counter this threat, Cisco Talos published on its site a list of nearly 4,000 IP addresses associated with the attackers as well as approximately 2,100 generic identifiers used in the attacks, urging organizations to block these addresses to protect their network traffic.
The sophistication of these attacks is enhanced by advance reconnaissance, allowing malicious actors to target their attacks with precision. Hackers use automated programs that can target hundreds or even thousands of accounts simultaneously, increasing the chances of success. To avoid security mechanisms that block failed login attempts, they may also opt for password spraying, where a large number of passwords are tested on a small number of accounts. For example, Cisco’s Secure Firewall ASA VPN headend has recorded up to millions of failed authentication attempts, indicating password spraying attacks.
This is one of the reasons why Cisco Talos recommends that organizations review their copy and their security strategy. Enabling logging systems and configuring the “no logging hide username” command is essential to detect any unauthorized login attempts. Indicators of compromise (IOCs) include error messages when attempting to connect to VPN services, Hostscan token allocation failures, and a high volume of rejected authentication attempts in system logs.
Sources: Ars Technica, Cisco Talos
0