Cisco Warns of Brute Force Attacks Targeting VPNs and Firewalls

Cisco has revealed that a global increase in brute force attacks targeting Virtual Private Networks (VPNs) and other devices is currently taking place.

The company released a warning this week, saying its security arm has been monitoring increased attacks aimed at VPNs, Web application authentication interfaces and SSHs since March 18.

"Depending on the target environment, successful attacks of this type may lead to unauthorized network access, account lockouts or denial-of-service conditions," wrote Cisco. "The traffic related to these attacks has increased with time and is likely to continue to rise. Known affected services are listed below. However, additional services may be impacted by these attacks."

Cisco said that the brute force attacks leverage both generic usernames and valid usernames tailored to specific organizations, indicating a non-discriminatory approach in their targeting (also known as credential spraying). These attacks are not focused on any particular region or industry. Furthermore, the source IP addresses associated with this malicious traffic frequently originate from proxy services, among others, hiding the attackers' locations and complicating tracing efforts.

Some of the services used in the attacks include VPN Gate, TOR, BigMama Proxy, IPIDEA Proxy, Space Proxies and more.

For Cisco's part, it has blocked traffic from discovered IP addresses and sources – but is quick to point out that attackers will likely change these to continue the large-scale attacks. As for users looking to mitigate their risk, it will differ by service.

As for the attacks targeting firewalls, Palo Alto Networks last week disclosed a critical zero-day vulnerability that "may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall." Affected devices include PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal.

The company said it has already seen attacks similar in nature to Cisco's report being leveraged in high numbers, and it is believed that the two incidents targeting VPNs and firewalls are connected. Palo Alto Networks recommends users apply a fix that was released with the advisory.  

The current large-scale attacks is the latest in a growing number of attacks targeting services like VPNs. In February the U.S. Cybersecurity and Infrastructure Security Agency (CISA) alerted the public to an attack against Ivanti VPN technologies from a source in China.

In the advisory, the government agency recommends organizations limit outbound connections from VPN services and restrict all connections to unprivileged accounts.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.


comments powered by Disqus

Subscribe on YouTube