Cisco Warns of Massive Surge in Password-Spraying Attacks on VPNs

  /     /     /  
Publicated : 23/11/2024   Category : security


Cisco Warns of Massive Surge in Password-Spraying Attacks on VPNs


Attackers are indiscriminately targeting VPNs from Cisco and several other vendors in what may be a reconnaissance effort, the vendor says.



Cisco Talos this week warned of a massive increase in brute-force attacks targeting VPN services, SSH services, and Web application authentication interfaces.
In its advisory, the company described the attacks as involving the use of generic and valid usernames to try and gain initial access to victim environments. The targets of these attacks appear to be random and indiscriminate and not restricted to any industry sector or geography,
Cisco said
.
The company identified the attacks as impacting organizations using Cisco Secure Firewall VPN devices and technologies from several other vendors, including Checkpoint VPN, Fortinet VPN, SonicWall VPN, Mikrotik, and Draytek.
Depending on the target environment, successful attacks of this type may lead to unauthorized network access, account lockouts, or denial-of-service conditions, a Cisco Talos statement explained. The vendor noted the surge in attacks began around March 28 and warned of a likely increase in attack volumes in the coming days.
Cisco did not immediately respond to a Dark Reading inquiry regarding the sudden explosion in attack volumes and whether theyre the work of a single threat actor or multiple threat actors. Its advisory identified the source IP addresses for the attack traffic as proxy services associated with Tor, Nexus Proxy, Space Proxies, and BigMama Proxy.
Ciscos advisory linked to indicators of compromise — including IP addresses and credentials associated with the attacks — while also noting the potential for these IP addresses to change over time.
The new wave of attacks is consistent with the
surging interest among threat actors
in the VPNs and other technologies that organizations have deployed in recent years to support remote access requirements for employees. Attackers — including nation-state actors — have
ferociously targeted
vulnerabilities in these products to try and break into enterprise networks, prompting multiple advisories from the likes of the US
Cybersecurity and Infrastructure Security Agency
(CISA), the FBI, the
National Security Agency (NSA)
, and others.
A study by Securin showed the number of vulnerabilities that researchers, threat actors, and vendors themselves have discovered in VPN products
increased 875%
between 2020 and 2024. They noted how 147 flaws across eight different vendors products grew to nearly 1,800 flaws across 78 products. Securin also found that attackers weaponized 204 of the total disclosed vulnerabilities so far. Of this, advanced persistent threat (APT) groups such as Sandworm, APT32, APT33, and Fox Kitten had exploited 26 flaws, while ransomware groups like REvil and Sodinokibi had exploits for another 16.
Ciscos latest advisory appears to have stemmed from multiple reports the company received about password-spraying attacks targeting remote access VPN services involving Ciscos products and those from multiple other vendors. In a password-spraying attack, an adversary basically attempts to gain brute-force access to multiple accounts by trying default and common passwords across all of them.
This activity appears to be related to reconnaissance efforts, Cisco said in a separate
April 15 advisory
that offered recommendations for organizations against password-spraying attacks. The advisory highlighted three symptoms of an attack that users of Cisco VPNs might observe: VPN connection failures, HostScan token failures, and an unusual number of authentication requests.
The company recommended that organizations enable logging on their devices, secure default remote access VPN profiles, and block connection attempts from malicious sources via access control lists and other mechanisms.
What is important here is that this attack is not against a software or hardware vulnerability, which usually requires patches, Jason Soroko, senior vice president of product at Sectigo, said in an emailed statement. The attackers in this instance are attempting to take advantage of weak password management practices, he said, so the focus should be on implementing strong passwords or implementing passwordless mechanisms to protect access.

Last News

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Cisco Warns of Massive Surge in Password-Spraying Attacks on VPNs