April 16, 2024 at 12:14PM
Cisco warns about a global large-scale brute force attack targeting VPN and SSH services on various devices. The attack involves a mix of valid and generic employee usernames, started on March 18, 2024, and uses anonymization tools. It targets a range of services and lacks a specific focus, with possible links to earlier attacks. Cisco shares IoCs for mitigation.
Key takeaways from the meeting notes are as follows:
– Cisco warns about a large-scale credential brute-forcing campaign targeting VPN and SSH services on devices from Cisco, CheckPoint, Fortinet, SonicWall, and Ubiquiti globally.
– The campaign uses a mix of valid and generic employee usernames related to specific organizations.
– Attacks started on March 18, 2024, originating from TOR exit nodes and various anonymization tools and proxies.
– The targets of the campaign include various VPN services and other network services such as RD Web Services, Miktrotik, Draytek, and Ubiquiti.
– The malicious activity lacks a specific focus on industries or regions, suggesting a broader strategy of random, opportunistic attacks.
– Earlier attacks in late March 2024 targeted Remote Access VPN services configured on Cisco Secure Firewall devices and were attributed to a malware botnet called ‘Brutus’.
– There remains uncertainty whether the current warnings from Cisco are connected to the previous attacks.
For further details and concrete indicators of compromise, it’s recommended to refer to the complete list of IoCs shared by the Talos team on GitHub, including the attackers’ IP addresses and the list of usernames and passwords used in the brute force attacks.