Highly detailed red firewall system within a modern datacenter, featuring racks of servers and networking equipment.

Many Firewall producers are issuing a warning regarding a significant increase in brute-force attacks aimed at a variety of devices, notably including Virtual Private Network (VPN) services, web application authentication interfaces, and Secure Shell (SSH) services. The surge in such attacks has been detected globally since April, 2024.

According to Cisco’s security team, Talos, these attacks are primarily emanating from TOR exit nodes, utilizing a variety of anonymizing channels such as tunnels and proxies. If successful, these brute-force attempts can enable unauthorized access to networks, result in account lockouts, or lead to denial-of-service scenarios.

The following devices have been identified as primary targets of these attacks:

  • Cisco Secure Firewall VPN
  • Checkpoint VPN
  • Fortinet VPN
  • SonicWall VPN
  • RD Web Services
  • Mikrotik
  • Draytek
  • Ubiquiti

Cisco Talos reports that these brute-force campaigns are utilizing both common and organization-specific usernames, striking a diverse array of sectors indiscriminately worldwide.

The cyber attackers are utilizing IP addresses typically linked with proxy services to mask their activities. These proxies include TOR, VPN Gate, IPIDEA Proxy, BigMama Proxy, Space Proxies, Nexus Proxy, and Proxy Rack, among others. A comprehensive list of indicators, such as IP addresses and the usernames/passwords utilized in these attacks, is made available for further investigation.

This warning follows reports of password spray attacks targeting remote access VPN services, which Cisco identified as part of broader reconnaissance activities. This announcement also coincides with recent findings from Fortinet FortiGuard Labs, which reveal that threat actors continue to exploit a previously addressed security vulnerability in TP-Link Archer AX21 routers (CVE-2023-1389, CVSS score: 8.8). The exploitation of this vulnerability is primarily for distributing DDoS botnet malware, including strains like AGoent, Condi, Gafgyt, Mirai, Miori, and MooBot.

These ongoing threats underscore the importance of robust cybersecurity practices and the need for continuous monitoring and updating of security protocols to defend against these opportunistic cyber attacks.