Cisco Talos issued a threat advisory saying it has seen a global increase in brute-force attacks against a variety of targets, including VPN services, web application authentication interfaces, and SSH services.
In its April 16 blog post, Cisco Talos said the uptick in brute-force attacks on popular VPN brands was observed since at least March 18. The researchers said the attacks are indiscriminate and don’t appear targeted toward any specific region or country.
Depending on the target environment, Cisco Talos said successful brute-force attacks on these technologies may lead to unauthorized network access, account lockouts or denial-of-service conditions. The researchers said traffic related to these attacks has increased with time and it’s likely to rise.
Cisco Talos included a list of known affected services that included the following:
- Cisco Secure Firewall VPN.
- Checkpoint VPN.
- Fortinet VPN.
- SonicWall VPN.
- RD Web Services.
- Miktrotik.
- Draytek.
- Ubiquiti.
Why security teams need to take Cisco’s warning seriously
While brute-force attacks are a longstanding method employed by cyber adversaries, the scale and systematic execution of these recent attacks signify an escalation in threat activities, said Emily Phelps, director at Cyware. Phelps said this trend underscores the necessity for continuous adaptation in cybersecurity defenses.
“It's not merely business as usual,” said Phelps. “It's a call for heightened vigilance and proactive security measures to anticipate and counteract evolving cyber threats effectively,” said Phelps. "Security teams should treat these alerts seriously and act swiftly to enhance their defensive mechanisms.”
Cisco’s public note on these attacks do not state how many attacks they’ve seen, but they hint at the scale of it and the length of time (over a month) that they’ve been seeing these attempts to break into organizations, explained Ashley Leonard, founder and CEO of Syxsense. Because of this trend and the negative impact a brute-force attack can have on an enterprise, security teams should take the warning seriously and review their security controls for their VPN, web app authentication, and SSH services, said Leonard.
“What’s interesting here is that Cisco felt it was relevant to call these attacks out,” said Leonard. “It’s possible their research team has seen something more troubling, but they’re only able to release a fairly generic statement. But the statement has the intended effect: it highlights the importance for businesses to revisit and strengthen their defenses.”
Many initial access brokers who then sell their foothold to ransomware groups often use brute-force attacks to get in because they don’t need to combine them with the presence of a remote code execution vulnerability, said Saumitra Das, vice president of engineering at Qualys. Das added that in the last few years, we have seen many VPN, firewall, and other opaque appliance boxes from vendors having multiple critical vulnerabilities, making them a good target for attackers to get in.
“It’s not just appliances, if you bring up an exposed container or VM in the cloud, a brute-force attempt will likely start happening in a few hours,” said Das. “Open RDP and SSH is a common entry point. It’s hard to block these via IP blacklists since it’s usually botnets infecting other machines or TOR exist nodes from where traffic will show up.
Das pointed out that even several years ago, Russia’s GRU conducted large-scale distributed brute-force attacks using Kubernetes automation, so the use of scale in brute force attacks is something that’s already in the attackers’ tool chain.
“So, what we’re seeing here is not new, but given the rise in vulnerabilities and prominent placement of VPN and perimeter devices, security teams should look at the security posture of all their perimeter network devices and make sure no default passwords and logins are enabled,” said Das.