Cisco has issued a global warning concerning a significant uptick in brute-force attacks aimed at various devices, notably targeting Virtual Private Network (VPN) services, web application authentication interfaces, and SSH services since March 18, 2024. These attacks, detected by Cisco Talos, are emanating from TOR exit nodes and a spectrum of anonymizing tunnels and proxies. The cybersecurity company underscores the severity of these assaults, highlighting the potential ramifications of successful breaches, including unauthorized network access, account lockouts, and potential denial-of-service conditions.
The targets of these broad and opportunistic attacks encompass a range of devices, including Cisco Secure Firewall VPN, Checkpoint VPN, Fortinet VPN, SonicWall VPN, RD Web Services, Mikrotik, Draytek, and Ubiquiti. Cisco Talos characterizes these brute-force attempts as deploying both generic and valid usernames, indiscriminately targeting organizations across various sectors and geographic locations. Notably, the source IP addresses associated with the malicious traffic are commonly linked with proxy services such as TOR, VPN Gate, IPIDEA Proxy, and others, compounding the challenge of identifying and mitigating these attacks effectively.
This development coincides with Cisco’s earlier warning regarding password spray attacks targeting remote access VPN services, indicative of ongoing reconnaissance efforts by threat actors. Moreover, the warning follows a report from Fortinet FortiGuard Labs highlighting the exploitation of a now-patched security flaw in TP-Link Archer AX21 routers to disseminate DDoS botnet malware families like AGoent, Condi, Gafgyt, Mirai, Miori, and MooBot. Security researchers emphasize the importance of user vigilance and the timely application of patches to mitigate the risk of network infection, underscoring the relentless targeting of IoT vulnerabilities by botnets and the critical need for proactive cybersecurity measures.