Connect with us

Hi, what are you looking for?


Malware & Threats

Cisco: Multiple VPN, SSH Services Targeted in Mass Brute-Force Attacks

Cisco has observed an increase in brute-force attacks targeting web application authentication, VPNs, and SSH services.

Threat actors are targeting multiple VPN services, web application authentication interfaces, and SSH services in mass brute-force attacks, Cisco’s Talos unit warns.

As part of the observed activity, the attackers use generic usernames, as well as valid usernames for certain organizations. The attacks, however, do not appear to be focusing on a specific geographical region or industry vertical.

Since at least March 18, there has been a global increase in such attacks, with all originating from Tor exit nodes and other anonymizing solutions.

The identified source IP addresses are associated with services such as Tor, VPN Gate, IPIDEA Proxy, BigMama Proxy, Space Proxies, Nexus Proxy, and Proxy Rack. However, the attackers could be using other services as well.

“Depending on the target environment, successful attacks of this type may lead to unauthorized network access, account lockouts, or denial-of-service conditions,” Cisco says.

Known affected services include Cisco Secure Firewall VPN, Checkpoint VPN, Fortinet VPN, SonicWall VPN, RD Web Services, Miktrotik, Draytek, and Ubiquiti. According to Cisco, other services might be affected as well.

Cisco says it has observed a significant increase in traffic associated with these attacks, which suggests that the activity is likely to continue and increase further.

The tech giant has added the known associated IP addresses to its block list, but warns that these source IPs are likely to change.

Advertisement. Scroll to continue reading.

Cisco also published indicators of compromise (IoCs) containing the IPs, usernames, and passwords associated with the observed attacks. The IoCs are available on GitHub.

“As these attacks target a variety of VPN services, mitigations will vary depending on the affected service,” Cisco notes.

Related: Thousands of Ivanti VPN Appliances Impacted by Recent Vulnerability

Related: VPN Apps on Google Play Turn Android Devices Into Proxies

Related: Cisco Patches High-Severity Vulnerabilities in VPN Product

Related: Governments Urge Organizations to Hunt for Ivanti VPN Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.


People on the Move

Fastly announced that Scott Lovett will join the company as Chief Revenue Officer, effective June 3, 2024.

Digital transformation consulting firm Synechron has hired Aaron Momin as CISO.

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

More People On The Move

Expert Insights