Cisco Warns of Large-Scale Brute-Force Attacks Targeting VPNs

Over 4,000 IPs, 2,200 passwords, and 100 usernames are in use in these attacks.

Reading time icon 2 min. read

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

cisco warns of large-scale brute-force attacks targeting vpns

Cisco has recently warned of large-scale brute-force attacks targeting VPN (virtual private network) services, SSH (secure shell) setups, and web applications.

The malicious campaign employs commonly used and easily guessable passwords to gain unauthorized access to organizational systems.

A deep analysis reveals Cisco, Fortinet, SonicWall, CheckPoint, and Ubiquiti device installations are the main targets of these attacks worldwide.

What exactly is happening?

On April 16, 2024, Cisco Talos, Cisco’s security arm, reported observing millions of login attempts using generic and potentially valid usernames/passwords.

The attackers seem to be leveraging TOR exit nodes, anonymizing tunnels, and proxies, making it difficult to pinpoint the source of the attacks.

According to Talos researchers, the campaign focused on various online services, including VPN installations, SSH services, and web application login portals.

These areas of focus are often used to access sensitive data and systems. So, a successful attack could have dire consequences for an organization.

Talos has since released a list of about 4,000 IP addresses, 2,200 passwords and 100 usernames used by the attacks on its GitHub repository.

The top targets in these attacks

Cisco Talos mentions the following services as the primary targets of the ongoing attacks. However, other services outside the given list may have also fallen prey.

  • Cisco Secure Firewall VPN 
  • Checkpoint VPN  
  • Fortinet VPN  
  • SonicWall VPN  
  • RD Web Services 
  • Miktrotik 
  • Draytek 
  • Ubiquiti 

The attacks employ anonymization whose IP addresses trace back to the following services below.

  • TOR   
  • VPN Gate  
  • IPIDEA Proxy  
  • BigMama Proxy  
  • Space Proxies  
  • Nexus Proxy  
  • Proxy Rack

Cisco believes the list is not exhaustive and other anonymization networks may be involved in these attacks.

Cisco advises on mitigation measures

To combat these brute-force attacks, Cisco recommends a multi-layered approach comprising the following: 

  • Enable logging to a remote syslog server to monitor unusual activity and block suspicious IP addresses.
  • Secure all the default profiles for remote VPN access to prevent unauthenticated attempts.
  • Use certificate-based authentication instead of password authentication for stronger security.
  • Restrict connections originating from unverified and malicious sources.  

Cisco is committed to continually revising best practices for securing installations against these attacks. Organizations should therefore regularly review these changes to stay ahead of attackers.

Leave a Reply

Your email address will not be published. Required fields are marked *