Cisco has issued a warning about a significant brute force campaign aimed at compromising VPN and SSH services across devices from several major manufacturers, including Cisco itself, CheckPoint, Fortinet, SonicWall, and Ubiquiti. The campaign, identified by Cisco's security research team, Cisco Talos, employs a strategy of attempting multiple username and password combinations to gain unauthorized access to devices and internal networks. The attackers are leveraging a combination of valid and generic employee credentials tailored to specific organizations.
Attack Methodology and Impact
The brute force attacks, which began on March 18, 2024, are notably originating from TOR exit nodes along with various anonymization tools and proxies. These methods are strategically used by attackers to bypass blocking efforts by the targeted organizations. The attacks have the potential to lead to several adverse outcomes, including unauthorized network access, account lockouts, and even denial-of-service conditions. The variety of services used for these attacks includes TOR, VPN Gate, IPIDEA Proxy, among others, indicating a sophisticated and well-resourced operation.
The services targeted in this campaign are critical to the security infrastructure of numerous organizations and include Cisco Secure Firewall VPN, Checkpoint VPN, Fortinet VPN, and several others. The indiscriminate nature of these attacks, lacking a specific focus on any industry or region, suggests a broad, opportunistic approach by the attackers, aiming to exploit any vulnerabilities found in these widely used services.
Indicators of Compromise and Historical Context
Cisco Talos has made available a comprehensive list of indicators of compromise (IoCs) on GitHub, which includes IP addresses and the specific usernames and passwords used in the brute force attacks. This resource aims to assist organizations in enhancing their security measures against this ongoing threat.
The current campaign bears resemblance to previous attacks, including a wave of password-spraying attacks targeting Remote Access VPN services reported by Cisco in late March 2024. Security researcher Aaron Martin has linked these earlier attacks to a malware botnet known as ‘Brutus', based on similarities in the attack patterns and targets. While it remains unconfirmed if the current brute force campaign is directly connected to these prior incidents, the consistent targeting of VPN and SSH services underscores a persistent threat landscape.