April 17, 2024 at 10:01AM
Cisco’s Talos unit warns of mass brute-force attacks targeting VPN services, web application authentication interfaces, and SSH services. The attacks, originating from Tor exit nodes, use generic and valid usernames, affecting various services. Cisco observed a significant increase in these attacks and has added the associated IP addresses to its block list. Mitigations vary depending on the affected service.
Key takeaways from the meeting notes are as follows:
– Threat actors are conducting mass brute-force attacks on multiple VPN services, web application authentication interfaces, and SSH services, without focusing on a specific geographical region or industry vertical.
– The attacks have been observed globally since at least March 18, originating from Tor exit nodes and other anonymizing solutions.
– Attackers are using generic usernames as well as valid usernames for certain organizations, and the source IP addresses are associated with various proxy services.
– Successful attacks could lead to unauthorized network access, account lockouts, or denial-of-service conditions. Known affected services include those from Cisco, Checkpoint, Fortinet, SonicWall, RD Web, Miktrotik, Draytek, and Ubiquiti.
– Cisco has added the known associated IP addresses to its block list and has published indicators of compromise (IoCs) on GitHub containing the IPs, usernames, and passwords associated with the observed attacks.
– Mitigations for these attacks will vary depending on the affected service.
The meeting notes also highlight related articles and announcements regarding recent vulnerabilities in VPN products and urge organizations to be vigilant against such attacks.