Analysis Summary

A global upsurge in brute-force attacks targeting a variety of devices, such as web application authentication interfaces, Virtual Private Network (VPN) services, and SSH services, has been detected since at least March 18, 2024, by Cisco.

The company said in a report, “These attacks all appear to be originating from TOR exit nodes and a range of other anonymizing tunnels and proxies.”

According to the cybersecurity organization, successful attacks might open the door for account lockouts, denial-of-service situations, or illegal network access. Devices such as Ubiquiti, Draytek, Mikrotik, RD Web Services, SonicWall VPN, Fortinet VPN, Checkpoint VPN, and Cisco Secure Firewall VPN have been the target of the attacks, which are reported to be widespread and opportunistic.

The brute-forcing attempts, according to Cisco Talos, targeted a wide range of industries and geographical locations, using both generic and legitimate usernames for particular firms. The traffic's originating IP addresses are frequently connected to proxy services. This includes, among other things, Proxy Rack, BigMama Proxy, IPIDEA Proxy, VPN Gate, TOR, and Space Proxies.

This development coincides with a warning from the networking equipment company regarding password spray assaults that are allegedly part of espionage activities and that target remote access VPN services. It also follows a report from Fortinet FortiGuard Labs stating that DDoS botnet malware families such as AGoent, Condi, Gafgyt, Mirai, Miori, and MooBot are being distributed by threat actors using a vulnerability in TP-Link Archer AX21 routers (CVE-2023-1389, CVSS score: 8.8) that has been patched.

Botnets are still relentlessly pursuing IoT vulnerabilities and trying to take advantage of them. It is recommended that users exercise caution while dealing with DDoS botnets and rapidly update patches to protect their network settings from infection. This will help to prevent users from becoming hostile threat actors' bots.