Massive Brute-Force Attacks Target VPNs and SSH Services

Security researchers at Cisco Talos warn of widespread brute-force attacks attempting to gain unauthorized access to virtual private networks (VPNs) and Secure Shell (SSH) services.

The large-scale campaign is leveraging lists of commonly used login credentials to try and compromise vulnerable systems systematically.

Attack Details

The brute-force offensive began in early April and is ongoing, with Talos observing over 12 million exploit attempts across 169 countries in just the first 11 days. The top targeted countries so far include:

  • United States (27%)
  • India (18%)
  • Vietnam (6.5%)
  • Turkey (5.5%)
  • Canada (4.5%)

Researchers said in their analysis, “This activity shows that threat actors are actively scanning the internet for exposed services and attempting to brute-force them using common credentials.”

The attacks are targeting a range of VPN providers and implementations, including

  • Cisco Secure Firewall VPN 
  • Checkpoint VPN  
  • Fortinet VPN  
  • SonicWall VPN  
  • RD Web Services 
  • Miktrotik 
  • Draytek 
  • Ubiquiti 

The source IP addresses for this traffic are often associated with proxy services like:

  • TOR   
  • VPN Gate  
  • IPIDEA Proxy  
  • BigMama Proxy  
  • Space Proxies  
  • Nexus Proxy  
  • Proxy Rack 

Credential Lists

The brute-force attempts are leveraging lists of commonly reused username and password combinations. Some of the most frequently tried credentials include:

  • Username: root / Password: toor
  • Username: admin / Password: admin
  • Username: ubnt / Password: ubnt

Talos’ analysis found over 1,000 unique username/password pairs being used across the campaign so far.

Due to the significant increase and high traffic volume, we have added the known associated IP addresses to our block list. It is important to note that the source IP addresses for this traffic are likely to change. Researchers said.

Mitigation Advice

To protect against these types of brute-force attacks, organizations should ensure VPNs and SSH services are not exposed directly to the Internet when possible. Multi-factor authentication should be implemented, and strong, unique credentials should be enforced.

  • Use of Strong, Unique Passwords: Organizations and individuals should ensure that all accounts have strong, unique passwords that are not easily guessable.
  • Multi-Factor Authentication (MFA): Implementing MFA can significantly reduce the risk of unauthorized access, even if login credentials are compromised.
  • Regular Monitoring and Auditing: Continuous monitoring of access logs and regular auditing of security practices can help in early detection of suspicious activities.
  • Security Awareness Training: Educating users about the importance of security practices, such as avoiding the use of default credentials, is crucial in mitigating these types of attacks.
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Co-Founder & Editor-in-Chief - Cyber Press Inc.,

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here