Cisco Talos has issued a warning about a massive credential brute-force campaign that targets VPN and SSH services on devices worldwide. The campaign, which started on March 18, 2024, uses a mix of valid and generic employee usernames to crack the correct login credentials. Once the attackers gain access, they can hijack devices or infiltrate internal networks.
Researchers from Cisco Talos have identified that this new brute-force campaign uses both valid and generic employee usernames linked to specific organizations. The attackers launch these attacks from TOR exit nodes and various anonymization tools and proxies to avoid detection.
These attacks can lead to unauthorized network access, account lockouts, or denial-of-service conditions. The campaign’s traffic is likely to increase over time. Attackers are using services like TOR, VPN Gate, IPIDEA Proxy, BigMama Proxy, Space Proxies, Nexus Proxy, and Proxy Rack to carry out these attacks.
The campaign actively targets services including:
- Cisco Secure Firewall VPN
- Checkpoint VPN
- Fortinet VPN
- SonicWall VPN
- RD Web Services
- Mikrotik
- Draytek
- Ubiquiti.
The attacks do not target specific industries or regions, suggesting a more opportunistic approach. The Talos team at Cisco has provided a list of indicators of compromise (IoCs) on GitHub, which includes attackers’ IP addresses and a list of usernames and passwords used in the brute-force attacks.
In late March 2024, Cisco also issued a warning about a wave of password-spraying attacks targeting Remote Access VPN (RAVPN) services configured on Cisco Secure Firewall devices. These attacks are particularly effective against weak password policies and involve targeting many usernames with a commonly used set of passwords.
Security researcher Aaron Martin has linked these attacks to a malware botnet called ‘Brutus,’ based on the observed attack patterns and targeting scope. It remains unclear whether the current attacks are a continuation of those previously observed.
To protect against the rising threat of brute-force attacks on VPN and SSH services, as highlighted in Cisco’s recent warning, organizations and individuals can adopt the following best practices:
- Use Strong, Unique Passwords: Implement policies that require strong, complex passwords combining letters, numbers, and special characters. Avoid common or predictable patterns and encourage the use of password managers to generate and store complex passwords.
- Enable Multi-Factor Authentication (MFA): Add an extra layer of security by implementing MFA. This requires users to provide two or more verification factors to gain access to a resource, significantly reducing the risk of unauthorized access.
- Limit Login Attempts: Configure systems to limit the number of failed login attempts. This can help prevent brute-force attacks by locking out accounts after several failed attempts, thus mitigating the risk of password guessing.
- Monitor and Audit Access Logs: Use technologies and services such as Security Information and Event Management (SIEM) and Managed Detection and Response (MDR) to continuesly monitor and review access logs for any unusual activities. Set up alerts for multiple failed login attempts, logins from new locations or devices, and other suspicious activities.
- Update and Patch Systems: Keep all systems, particularly VPN and network infrastructure, updated with the latest security patches. Attackers often exploit known vulnerabilities that are left unpatched.
- Use Secure VPN Settings: Optimize VPN security settings, including the use of strong encryption protocols and the latest version of VPN software. Ensure that VPN connections are always secured with up-to-date configurations.
- Implement Network Segmentation: Divide your network into subnetworks to limit an attacker’s access to the entire network. This can prevent lateral movements in case an attacker gains access to a part of the network.
- Educate and Train Employees: Regularly train employees on the importance of cybersecurity practices. Educate them about the risks of brute-force attacks and the importance of using strong passwords and recognizing phishing attempts.
- Deploy Security Solutions: Utilize security solutions that include brute-force attack detection capabilities. These can identify and mitigate attacks before they cause significant damage.
- Use Anonymization Detection Tools: Since attackers often use TOR and other anonymization services to hide their identity, deploy tools that can detect and block access from these services.
By implementing these best practices, organizations can enhance their cybersecurity defenses against brute-force attacks targeting their VPN and SSH services, protecting their critical infrastructure and sensitive data.