Cisco’s Talos security team is issuing an alert about a widespread credential theft effort that is targeting networks through numerous login attempts. The goal is to gain unauthorised entry into VPN, SSH, and web application accounts.
The login attempts involve both common and specific usernames targeted at particular organizations. Cisco has documented over 2,000 usernames and nearly 100 passwords utilized in these attacks, along with almost 4,000 IP addresses directing the login traffic. These IP addresses seem to originate from TOR exit nodes and various anonymizing proxies and tunnels. The nature of these attacks is generally random and opportunistic, rather than focused on any specific region or industry.
Talos researchers explained that, depending on the targeted environment, successful breaches could result in unauthorised network access, account lockouts, or even denial-of-service situations. They noted that the volume of traffic from these attacks has been growing over time and is expected to keep increasing.
A Cisco spokesperson noted that while there is currently no definitive evidence linking the same threat actor to both instances of attacks, there are technical similarities in how the attacks were executed and the infrastructure utilized.
The login attempts involve both common and specific usernames targeted at particular organizations. Cisco has documented over 2,000 usernames and nearly 100 passwords utilized in these attacks, along with almost 4,000 IP addresses directing the login traffic. These IP addresses seem to originate from TOR exit nodes and various anonymizing proxies and tunnels. The nature of these attacks is generally random and opportunistic, rather than focused on any specific region or industry.
Talos researchers explained that, depending on the targeted environment, successful breaches could result in unauthorised network access, account lockouts, or even denial-of-service situations. They noted that the volume of traffic from these attacks has been growing over time and is expected to keep increasing.
A Cisco spokesperson noted that while there is currently no definitive evidence linking the same threat actor to both instances of attacks, there are technical similarities in how the attacks were executed and the infrastructure utilized.
On Tuesday, Talos reported that the targeted services in the attack campaign include, but are not limited to, the following:
- Cisco Secure Firewall VPN
- Checkpoint VPN
- Fortinet VPN
- SonicWall VPN
- RD Web Services
- Mikrotik
- Draytek
- Ubiquiti
Additionally, the IPs used for anonymization were traced back to services such as:
- TOR
- VPN Gate
- IPIDEA Proxy
- BigMama Proxy
- Space Proxies
- Nexus Proxy
- Proxy Rack.
Keep you router firmware up to date and if your router is end of life then it may be time to consider a replacement