Skip to content

Brute-force attacks escalate globally on VPNs and web services

  • by
  • 3 min read

There has been a surge in brute-force attacks targeting various online services globally. First detected on or around March 18, 2024, these attacks have been primarily aimed at Virtual Private Network (VPN) services, web application authentication interfaces, and SSH services.

The perpetrators behind these attacks are utilising TOR exit nodes alongside various anonymising tunnels and proxies to carry out their malicious activities. This sophisticated approach allows them to conceal their origins effectively, making it challenging for cybersecurity experts to swiftly trace and mitigate these attacks.

The potential ramifications of these attacks are substantial, ranging from unauthorised network access to account lockouts and potential denial-of-service (DoS) conditions. The volume of malicious traffic associated with these activities has steadily increased, indicating a growing threat landscape.

“Depending on the target environment, successful attacks of this type may lead to unauthorized network access, account lockouts, or denial-of-service conditions. The traffic related to these attacks has increased with time and is likely to continue to rise,” noted researchers.

According to them, the affected services include, but are not limited to:

  • Cisco Secure Firewall VPN
  • Checkpoint VPN
  • Fortinet VPN
  • SonicWall VPN
  • RD Web Services
  • Miktrotik
  • Draytek
  • Ubiquiti
Hackers used over 100 passwords and about 4,000 IP addresses for this attack.

The attackers employ a combination of generic and valid usernames specific to targeted organisations in their brute-force attempts. Notably, these attacks do not target a particular geographic region or industry sector, suggesting a widespread and indiscriminate campaign by threat actors.

Cisco compiled a list of several thousand usernames about 100 passwords, alongwith 4,000 IP addresses used by threat actors for this massive attack.

Researchers were able to trace the source IP addresses associated with this malicious traffic, which are commonly linked to proxy services like TOR, VPN Gate, IPIDEA Proxy, BigMama Proxy, Space Proxies, Nexus Proxy, and Proxy Rack.

However, this list is not exhaustive, as threat actors may leverage additional services to mask their activities.

In response to this escalating threat landscape, proactive measures have been implemented to block known associated IP addresses.

“Due to the significant increase and high traffic volume, we have added the known associated IP addresses to our block list,” researchers noted. “It is important to note that the source IP addresses for this traffic are likely to change.”

On Tuesday, it was reported that Cisco Duo, a cloud-based authentication program, suffered a data breach of SMS MFA logs.

In the News: Meta’s Oversight Board takes up two celebrity deepfake cases

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>