Cisco Talos this week warned of a massive increase in brute force attacks against VPN services, SSH services and web application authentication interfaces.
In its advisory, the company described the attacks as involving the use of generic, valid usernames to try to gain initial access to victims’ environments. The targets of these attacks appear to be random and indiscriminate and not limited to any industry or geographic sector, Cisco said.
The company has identified attacks targeting organizations using Cisco Secure Firewall VPN devices and technologies from several other vendors, including Checkpoint VPN, Fortinet VPN, SonicWall VPN, Mikrotik, and Draytek.
Attack volumes may increase
“Depending on the target environment, successful attacks of this type can lead to unauthorized network access, account lockouts, or denial-of-service conditions,” explains a statement from Cisco Talos. The vendor noted that the increase in attacks began around March 28 and warned of a likely increase in attack volumes in the coming days.
Cisco did not immediately respond to a question from Dark Reading regarding the sudden explosion in attack volumes and whether they are the work of a single threat actor or multiple threat actors. Its alert identified the source IP addresses of the attack traffic as proxy services associated with Tor, Nexus Proxy, Space Proxies, and BigMama Proxy.
Cisco’s advisory is linked to indicators of compromise, including IP addresses and credentials associated with the attacks, while also noting the potential for these IP addresses to change over time.
The new wave of attacks is consistent with the growing interest among threat actors in VPNs and other technologies that organizations have implemented in recent years to support remote access requirements for employees. Attackers, including nation-state actors, have done so ferociously targeted vulnerabilities of these products to attempt to penetrate corporate networks, prompting multiple warnings from countries such as the United States Cyber Security and Infrastructure Agency (CISA), the FBI, the National Security Agency (NSA)and other.
VPN vulnerabilities are exploding in number
A study by Securin showed the number of vulnerabilities that researchers, threat actors and vendors themselves have discovered in VPN products increased by 875% between 2020 and 2024. They noted how 147 defects in products from eight different suppliers grew to nearly 1,800 defects in 78 products. Securin also found that attackers weaponized 204 of the total vulnerabilities disclosed so far. Of these, Advanced Persistent Threat (APT) groups such as Sandworm, APT32, APT33, and Fox Kitten had exploited 26 flaws, while ransomware groups such as REvil and Sodinokibi had exploited another 16.
Cisco’s latest advisory appears to stem from numerous reports the company has received regarding password spraying attacks targeting remote access VPN services involving Cisco products and those of numerous other vendors. In a password spraying attack, an adversary basically attempts to brute force access to multiple accounts by trying common, default passwords on all of them.
Reconnaissance effort?
“This activity appears to be related to reconnaissance efforts,” Cisco said separately Notice dated April 15th which offered recommendations to organizations against password spraying attacks. The alert highlights three symptoms of an attack that Cisco VPN users may observe: VPN connection errors, HostScan token errors, and an unusual number of authentication requests.
The company advised organizations to enable access on their devices, secure default remote access VPN profiles, and block connection attempts from malicious sources through access control lists and other mechanisms.
“What is important here is that this attack is not against a software or hardware vulnerability, which usually requires patching,” Jason Soroko, senior vice president of product at Sectigo, said in an emailed statement. Attackers in this case are attempting to take advantage of weak password management practices, he said, so the focus should be on implementing strong passwords or implementing passwordless mechanisms to protect access.