A new threat advisory released Tuesday by Cisco Talos warns of an uptick in brute force attacks targeting VPN’s, SSH services, and web application authentication interfaces.
Security researchers at Cisco Talos, the tech giant’s security intelligence and research group, said a worldwide increase in these types of brute force attacks began around March 18th.
Cisco Talos put out a list of nearly 4,000 IP addresses being used by threat actors to carry out the attacks and is recommending organizations immediately block the addresses from approved inbound network traffic.
The list which can be found on GitHub, also includes about 2100 user names and generic passwords that have been used in the attacks.
In a brute force attack, threat actors will use trial and error, entering random login credentials – e.g. usernames and passwords – to gain access to an account.
In this case it also appears the threat actors have been able to carry out some reconnaissance before the attacks, allowing them to target the attacks with greater accuracy.
Hackers often use automated brute force programs that can target hundreds, if not thousands of accounts simultaneously.
Alternatively, to avoid being locked out of the targeted accounts due to repeated failed login attempts, the hackers can use thousands of passwords targeting just a few accounts, otherwise known as password spraying.
As in this case, the hackers will often try both valid usernames for specific organizations, as well as common generic usernames and passwords – such as "network," "vpnadmin," "Qwerty123," and "Password1," all of which happen to be on the GitHub list.
“Depending on the target environment, successful attacks of this type may lead to unauthorized network access, account lockouts, or denial-of-service conditions,” Talos researchers said, noting that the “traffic related to these attacks has increased with time and is likely to continue to rise.”
Here is a list of the affected services known so far:
- Cisco Secure Firewall VPN
- Checkpoint VPN
- Fortinet VPN
- SonicWall VPN
- RD Web Services
- Miktrotik
- Draytek
- Ubiquiti
Cisco researchers also discovered that most of the attacks had originated from TOR, a proxy service that reroutes internet traffic through several servers to obscure the user's real IP address, making it untraceable.
Other anonymizing tunnels and proxies associated with the source IP addresses include VPN Gate, IPIDEA Proxy, BigMama Proxy, Space Proxies, Nexus Proxy, and Proxy Rack.
Indicators of compromise (IOC) included users receiving error messages when attempting to connect to VPN services, hostscan token allocation failures, and large numbers of rejection authentication attempts in system logs, according to the advisory.
For example, Cisco Talos said its VPN headend Secure Firewall ASA showed “symptoms of password spray attacks with 100-thousands or millions of rejected authentication attempts.’
To help root out this type of malicious activity, Talos recommends that organizations turn on their logging systems and configure the “no logging hide username” command to recognize any unauthorized user login attempts.
The intel team did note that the IP addresses on the traffic blocklist released Tuesday are likely to change, and more services are likely to be identified as impacted by the attacks.
The team also said besides enabling logging, blocking connection attempts from malicious IP addresses, and securing default remote access VPN profiles, other mitigation measures to secure the VPNs will vary by the affected service and organizations should refer to their particular VPN vendor.
Your email address will not be published. Required fields are markedmarked