Multiple WordPress Plugins Vulnerabilities
April 18, 2024FIN7 Uses Phishing to Target IT Employees of US Automotive Sector – Active IOCs
April 18, 2024Multiple WordPress Plugins Vulnerabilities
April 18, 2024FIN7 Uses Phishing to Target IT Employees of US Automotive Sector – Active IOCs
April 18, 2024Severity
High
Analysis Summary
A global upsurge in brute-force attacks targeting a variety of devices, such as web application authentication interfaces, Virtual Private Network (VPN) services, and SSH services, has been detected since at least March 18, 2024, by Cisco.
The company said in a report, “These attacks all appear to be originating from TOR exit nodes and a range of other anonymizing tunnels and proxies.”
According to the cybersecurity organization, successful attacks might open the door for account lockouts, denial-of-service situations, or illegal network access. Devices such as Ubiquiti, Draytek, Mikrotik, RD Web Services, SonicWall VPN, Fortinet VPN, Checkpoint VPN, and Cisco Secure Firewall VPN have been the target of the attacks, which are reported to be widespread and opportunistic.
The brute-forcing attempts, according to Cisco Talos, targeted a wide range of industries and geographical locations, using both generic and legitimate usernames for particular firms. The traffic's originating IP addresses are frequently connected to proxy services. This includes, among other things, Proxy Rack, BigMama Proxy, IPIDEA Proxy, VPN Gate, TOR, and Space Proxies.
This development coincides with a warning from the networking equipment company regarding password spray assaults that are allegedly part of espionage activities and that target remote access VPN services. It also follows a report from Fortinet FortiGuard Labs stating that DDoS botnet malware families such as AGoent, Condi, Gafgyt, Mirai, Miori, and MooBot are being distributed by threat actors using a vulnerability in TP-Link Archer AX21 routers (CVE-2023-1389, CVSS score: 8.8) that has been patched.
Botnets are still relentlessly pursuing IoT vulnerabilities and trying to take advantage of them. It is recommended that users exercise caution while dealing with DDoS botnets and rapidly update patches to protect their network settings from infection. This will help to prevent users from becoming hostile threat actors' bots.
Impact
- Denial of Service
- Unauthorized Access
- Cyber Espionage
Indicators of Compromise
IP
- 103.28.36.106
- 94.136.168.124
- 104.244.73.193
- 185.220.101.42
- 185.243.218.110
- 185.100.87.174
Remediation
- Block all threat indicators at your respective controls.
- Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.
- Immediately change default passwords on IoT devices to unique ones.
- Keep devices' firmware and software up to date to ensure that known vulnerabilities are patched.
- Isolate IoT devices from critical systems by segmenting your network.
- Implement firewalls and intrusion detection systems to monitor and control traffic to and from IoT devices.
- Employ tools that can identify unusual behavior or traffic patterns that might indicate a DDoS attack or a compromised device.
- Disable any unnecessary services or features on IoT devices to reduce their attack surface.
- Follow security best practices, such as disabling remote management if not needed and enabling security features provided by the device manufacturer.
- Deploy intrusion detection and prevention systems (IDS/IPS) to monitor for anomalous or malicious network activity.
- Set up alerts for unusual traffic patterns that might indicate a DDoS attack or a compromised device.