Father
Professional
- Messages
- 2,602
- Reaction score
- 776
- Points
- 113
Hackers hack Cisco VPN, CheckPoint, Fortinet!
International cybersecurity was under threat after experts from Cisco Talos discovered a large-scale credential matching campaign targeting VPN and SSH services of devices from companies such as Cisco, CheckPoint, Fortinet, SonicWall and Ubiquiti.
The campaign uses the brute force method-automated selection of various combinations of usernames and passwords to gain unauthorized access to devices and internal networks. Attackers use a mixed set of valid and universal logins for employees of specific organizations.
According to the researchers, the attacks began on March 18, 2024. All of them come from TOR's exit nodes and various anonymizing tools and proxies, which helps participants avoid being blocked.
"Depending on the original target, these attacks may result in unauthorized network access, account blocking, or denial — of-service conditions," Cisco Talos warns.
The services used to conduct attacks include TOR, VPN Gate, IPIDEA Proxy, BigMama Proxy, Space Proxies, Nexus Proxy, and Proxy Rack.
The list of actively attacked services includes:
Attacks are not focused on any particular industry or region, which indicates a strategy of random, opportunistic attacks.
The Talos team published on GitHub complete list of indicators of compromise (IoC), including the IP addresses of attackers and a list of usernames and passwords used in brute-force attacks.
At the end of March 2024, Cisco already warned about a wave of attacks aimed specifically at remote VPN access services on Cisco Secure Firewall devices. These attacks are particularly effective against weak password policies, as attackers use a small set of frequently occurring passwords for multiple usernames.
The relationship between past attacks and the current campaign has not yet been confirmed, but experts are trying to do everything possible to confirm or deny the connection of this malicious activity as soon as possible.
International cybersecurity was under threat after experts from Cisco Talos discovered a large-scale credential matching campaign targeting VPN and SSH services of devices from companies such as Cisco, CheckPoint, Fortinet, SonicWall and Ubiquiti.
The campaign uses the brute force method-automated selection of various combinations of usernames and passwords to gain unauthorized access to devices and internal networks. Attackers use a mixed set of valid and universal logins for employees of specific organizations.
According to the researchers, the attacks began on March 18, 2024. All of them come from TOR's exit nodes and various anonymizing tools and proxies, which helps participants avoid being blocked.
"Depending on the original target, these attacks may result in unauthorized network access, account blocking, or denial — of-service conditions," Cisco Talos warns.
The services used to conduct attacks include TOR, VPN Gate, IPIDEA Proxy, BigMama Proxy, Space Proxies, Nexus Proxy, and Proxy Rack.
The list of actively attacked services includes:
- Cisco Secure Firewall VPN;
- Checkpoint VPN;
- Fortinet VPN;
- SonicWall VPN;
- RD Web Services;
- MikroTik;
- Draytek;
- Ubiquiti.
Attacks are not focused on any particular industry or region, which indicates a strategy of random, opportunistic attacks.
The Talos team published on GitHub complete list of indicators of compromise (IoC), including the IP addresses of attackers and a list of usernames and passwords used in brute-force attacks.
At the end of March 2024, Cisco already warned about a wave of attacks aimed specifically at remote VPN access services on Cisco Secure Firewall devices. These attacks are particularly effective against weak password policies, as attackers use a small set of frequently occurring passwords for multiple usernames.
The relationship between past attacks and the current campaign has not yet been confirmed, but experts are trying to do everything possible to confirm or deny the connection of this malicious activity as soon as possible.
