Cisco Warns of Large-Scale Brute-Force Attacks Targeting VPNs
Over 4,000 IPs, 2,200 passwords, and 100 usernames are in use in these attacks.
2 min. read
Published on
Share this article
Improve this guide
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Cisco has recently warned of large-scale brute-force attacks targeting VPN (virtual private network) services, SSH (secure shell) setups, and web applications.
The malicious campaign employs commonly used and easily guessable passwords to gain unauthorized access to organizational systems.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Connect to thousands of servers for persistent seamless browsing.
A deep analysis reveals Cisco, Fortinet, SonicWall, CheckPoint, and Ubiquiti device installations are the main targets of these attacks worldwide.
What exactly is happening?
On April 16, 2024, Cisco Talos, Cisco’s security arm, reported observing millions of login attempts using generic and potentially valid usernames/passwords.
The attackers seem to be leveraging TOR exit nodes, anonymizing tunnels, and proxies, making it difficult to pinpoint the source of the attacks.
According to Talos researchers, the campaign focused on various online services, including VPN installations, SSH services, and web application login portals.
These areas of focus are often used to access sensitive data and systems. So, a successful attack could have dire consequences for an organization.
Talos has since released a list of about 4,000 IP addresses, 2,200 passwords and 100 usernames used by the attacks on its GitHub repository.
The top targets in these attacks
Cisco Talos mentions the following services as the primary targets of the ongoing attacks. However, other services outside the given list may have also fallen prey.
- Cisco Secure Firewall VPN
- Checkpoint VPN
- Fortinet VPN
- SonicWall VPN
- RD Web Services
- Miktrotik
- Draytek
- Ubiquiti
The attacks employ anonymization whose IP addresses trace back to the following services below.
- TOR
- VPN Gate
- IPIDEA Proxy
- BigMama Proxy
- Space Proxies
- Nexus Proxy
- Proxy Rack
Cisco believes the list is not exhaustive and other anonymization networks may be involved in these attacks.
Cisco advises on mitigation measures
To combat these brute-force attacks, Cisco recommends a multi-layered approach comprising the following:
- Enable logging to a remote syslog server to monitor unusual activity and block suspicious IP addresses.
- Secure all the default profiles for remote VPN access to prevent unauthenticated attempts.
- Use certificate-based authentication instead of password authentication for stronger security.
- Restrict connections originating from unverified and malicious sources.
Cisco is committed to continually revising best practices for securing installations against these attacks. Organizations should therefore regularly review these changes to stay ahead of attackers.
