Credential spraying from thousands of IP addresses are targeting VPNs, Cisco warns

News
By Sead Fadilpašić
published

Cisco Talos finds someone is targeting all sorts of VPNs

Password Security
Bästa tjänsterna för lösenordshantering (Image credit: Shutterstock)

For a month now, hackers have been mounting a large-scale credential stuffing attack against multiple Virtual Private Network (VPN) instances around the world. At the moment, it’s hard to say who is behind the attack, or what the motives are, but researchers have some clues.

As reported by Ars Technica, Cisco’s Talos security team recently warned of an ongoing campaign in which attackers keep trying more than 2,000 usernames and some 100 passwords against different VPNs. Some of the products in the attackers’ crosshairs include Cisco Secure Firewall VPN, Checkpoint VPN, Fortinet VPN, SonicWall VPN, RD Web Services, Mikrotik, Draytek, and Ubiquiti, however others could be targeted, as well.

The victims are scattered all over the world, and operate in various verticals, prompting the researchers to conclude that the attackers don’t have a preferred target, but are rather casting as wide of a net as possible.

Growing in strength

“Depending on the target environment, successful attacks of this type may lead to unauthorized network access, account lockouts, or denial-of-service conditions,” the researchers said in their report. “The traffic related to these attacks has increased with time and is likely to continue to rise.”

While the evidence is inconclusive, the researchers believe this could be the work of the same threat actor that targeted Cisco a few weeks back. They are basing this assumption on the facts that there are “technical overlaps” in how the attacks were conducted, and that in both instances, the same infrastructure was used. In the Cisco campaign, the goal was reconnaissance, so the speculation is that it’s the same this time around.

The IP addresses found from the previous attack were already added to Cisco’s block list for its VPN, and organizations worried about these attacks are advised to do the same, for any third-party VPN they have deployed.

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.