Cisco warns of a global surge in brute force attacks targeting various devices, including virtual private network (VPN) services, web application authentication interfaces, and SSH services, starting at least March 18, 2024.
“All of these attacks appear to be coming from TOR exit nodes and a number of other anonymized tunnels and proxies,” Cisco Talos said.
Successful attacks could pave the way for unauthorized network access, account lockouts or denial-of-service conditions, the cybersecurity firm added.
The attacks, believed to be large and opportunistic, were noted to target the following devices:
- Cisco secure firewall VPN
- CheckpointVPN
- Fortinet VPN
- SonicWall VPN
- Remote Desktop Web Services
- Microtik
- Draytek
- Ubiquitous
Cisco Talos described the brute-forcing attempts as using usernames that were both generic and valid for specific organizations, with the attacks indiscriminately targeting a wide range of industries across geographies.
Traffic source IP addresses are commonly associated with proxy services. This includes TOR, VPN Gate, IPIDEA Proxy, BigMama Proxy, Space Proxies, Nexus Proxy, and Proxy Rack, among others.
The full list of indicators associated with the activity, such as IP addresses and usernames/passwords, can be accessed here.
The development comes as the networking equipment company warned of password spray attacks targeting remote access VPN services as part of what it calls “reconnaissance efforts.”
It also follows a report from Fortinet FortiGuard Labs that threat actors continue to exploit a now-patched security flaw affecting TP-Link Archer AX21 routers (CVE-2023-1389, CVSS Score: 8.8) to spread DDoS botnet malware families such as AGoent, Condi, Gafgyt, Mirai, Miori and MooBot.
“As usual, botnets relentlessly target IoT vulnerabilities, continually attempting to exploit them,” said security researchers Cara Lin and Vincent Li.
“Users should be vigilant against DDoS botnets and apply patches promptly to safeguard their network environments from infection, preventing them from becoming bots for malicious threat actors.”