Keypoints
- Global increase in brute-force attacks observed since at least March 18, 2024, targeting VPNs, web auth interfaces, and SSH services.
- Attacks originate from TOR exit nodes and a variety of anonymizing proxies (e.g., VPN Gate, Proxy Rack).
- Actors use both generic and valid organization-specific usernames when attempting logins.
- Potential impacts include unauthorized access, account lockouts, and denial-of-service conditions; traffic volume is rising.
- Known affected services include Cisco Secure Firewall VPN, Checkpoint, Fortinet, SonicWall, RD Web Services, Mikrotik, Draytek, and Ubiquiti.
- Cisco Talos added known associated IPs to blocklists and published IPs/credentials in a GitHub repository for defenders.
- Mitigations vary by product; Cisco published guidance specifically for remote access VPN services.
MITRE Techniques
- [T1110] Brute Force β Attackers repeatedly attempted authentication across VPN, web auth, and SSH services to guess credentials (βCisco Talos is actively monitoring a global increase in brute-force attacks against a variety of targets, including Virtual Private Network (VPN) services, web application authentication interfaces and SSH services since at least March 18, 2024.β)
- [T1110.001] Password Guessing β Use of common/generic and organization-specific usernames to perform password-guessing/password-spray style attempts (βThe brute-forcing attempts use generic usernames and valid usernames for specific organizations.β)
- [T1090] Proxy β Use of TOR exit nodes and multiple anonymizing proxy services to obfuscate the attack origin (βThese attacks all appear to be originating from TOR exit nodes and a range of other anonymizing tunnels and proxies.β)
- [T1078] Valid Accounts β Attempts leveraged known/valid usernames (and captured credentials published in IOCs) to gain access if password guesses succeeded (βWe are including the usernames and passwords used in these attacks in the IOCs for awareness.β)
- [T1499] Endpoint Denial of Service β High-volume authentication traffic and lockout events can produce denial-of-service or account lockouts for targeted services (βDepending on the target environment, successful attacks of this type may lead to unauthorized network access, account lockouts, or denial-of-service conditions.β)
Indicators of Compromise
- [Affected Services] targeted platforms β Cisco Secure Firewall VPN, Fortinet VPN (examples of impacted systems)
- [Proxy/Source Names] origins used β TOR exit nodes, VPN Gate (anonymizing sources observed)
- [Credentials] usernames/passwords β included in Cisco Talos GitHub IOCs (see repository for examples and lists)
- [IP Addresses] associated attacker IPs β known IPs added to Cisco blocklists and published in the GitHub IOCs (examples available in repo)
- [IOC Repository] reference β https://github.com/Cisco-Talos/IOCs/tree/main/2024/04 (contains IPs, usernames, and passwords related to the activity)
Cisco Talos detected a sustained campaign of brute-force login attempts beginning mid-March 2024 that targeted remote-access services (VPNs), web authentication endpoints, and SSH. The activity is characterized by high-volume credential guessing using both generic and organization-specific usernames and is routed through TOR exit nodes and multiple anonymizing proxy services, increasing tracking and mitigation complexity.
Observed impacts include potential unauthorized network access, widespread account lockouts, and denial-of-service conditions when authentication systems are overwhelmed. Known affected vendors and systems include Cisco Secure Firewall VPN, Checkpoint, Fortinet, SonicWall, RD Web Services, Mikrotik, Draytek, and Ubiquiti. Cisco Talos has compiled the related IP addresses, usernames, and passwords in a public GitHub repository and added known IPs to blocklists while warning that source addresses are likely to change.
Defenders should consult the published IOCs and apply service-specific mitigations; Cisco points to its remote-access VPN guidance for recommended best practices. For awareness and blocking, review the Cisco Talos GitHub repository of IOCs and implement appropriate mitigations in your environment (product-specific controls and monitoring are required as measures vary by service).