Threat actors are targeting multiple VPN services, web application authentication interfaces, and SSH services in mass brute-force attacks, Cisco’s Talos unit warns.
As part of the observed activity, the attackers use generic usernames, as well as valid usernames for certain organizations. The attacks, however, do not appear to be focusing on a specific geographical region or industry vertical.
Since at least March 18, there has been a global increase in such attacks, with all originating from Tor exit nodes and other anonymizing solutions.
The identified source IP addresses are associated with services such as Tor, VPN Gate, IPIDEA Proxy, BigMama Proxy, Space Proxies, Nexus Proxy, and Proxy Rack. However, the attackers could be using other services as well.
“Depending on the target environment, successful attacks of this type may lead to unauthorized network access, account lockouts, or denial-of-service conditions,” Cisco says.
Known affected services include Cisco Secure Firewall VPN, Checkpoint VPN, Fortinet VPN, SonicWall VPN, RD Web Services, Miktrotik, Draytek, and Ubiquiti. According to Cisco, other services might be affected as well.
Cisco says it has observed a significant increase in traffic associated with these attacks, which suggests that the activity is likely to continue and increase further.
The tech giant has added the known associated IP addresses to its block list, but warns that these source IPs are likely to change.
Cisco also published indicators of compromise (IoCs) containing the IPs, usernames, and passwords associated with the observed attacks. The IoCs are available on GitHub.
“As these attacks target a variety of VPN services, mitigations will vary depending on the affected service,” Cisco notes.
Related: Thousands of Ivanti VPN Appliances Impacted by Recent Vulnerability
Related: VPN Apps on Google Play Turn Android Devices Into Proxies
Related: Cisco Patches High-Severity Vulnerabilities in VPN Product
Related: Governments Urge Organizations to Hunt for Ivanti VPN Attacks