Cisco’s Talos Security Team Warns of Large-Scale Credential Compromise Campaign
The security experts at Cisco’s Talos team have issued a cautionary alert regarding a significant credential compromise campaign that is currently underway, presenting a severe threat to various networks by launching multiple login attempts intended to gain unauthorized access to VPN, SSH, and web application accounts.
Overview of the Attack
These illicit login attempts encompass a broad spectrum, ranging from the use of generic usernames to strategically targeting specific organizations with valid usernames. A repository containing over 2,000 usernames, nearly 100 passwords utilized in the attacks, and close to 4,000 IP addresses transmitting the login traffic has been made available by Cisco. Notably, the IP addresses originate from TOR exit nodes and other anonymizing tunnels and proxies, suggesting a deliberate effort to obfuscate the true source of the attacks.
It is crucial to highlight that these attacks are characterized by their indiscriminate nature, devoid of any specific geographical or sector-specific targeting. The primary objective appears to be opportunistic in nature, intending to exploit vulnerabilities rather than focus on a particular industry or region.
Implications and Risks
According to the analysis provided by Talos researchers, successful breaches of this kind hold the potential to result in unauthorized network access, user account lockouts, or even trigger denial-of-service conditions within the affected systems. Moreover, the increasing volume of malicious login attempts indicates a growing threat landscape that organizations must vigilantly defend against.
The campaign of attacks was initiated no later than March 18, sending ripples of concern across various cybersecurity circles due to its scale and persistence. This advisory arrives in the wake of a previous warning issued by Cisco regarding a similar assault, which centered on password spray attacks targeting remote access VPNs associated with Cisco and third-party providers linked to Cisco firewalls.
Technical Insights and Response
Although no definitive evidence has been presented to establish a direct correlation between the recent activities and the prior attack campaign, technical overlaps in the execution of the assaults and the underlying infrastructure utilized suggest a potential link between the two incidents.
The specific services that have been targeted by these malicious activities include, but are not limited to:
- Cisco Secure Firewall VPN
- Checkpoint VPN
- Fortinet VPN
- SonicWall VPN
- RD Web Services
- Mikrotik
- Draytek
- Ubiquiti
Furthermore, the anonymization IPs associated with the attacks have been traced back to services such as TOR, VPN Gate, IPIDEA Proxy, BigMama Proxy, Space Proxies, Nexus Proxy, and Proxy Rack. Cisco has already taken proactive measures by implementing a block list for these IP addresses within its VPN offerings, urging organizations to follow suit and add them to the block lists of any third-party VPN solutions.
Countermeasures and Recommendations
A comprehensive list of indicators of compromise has been provided by Cisco, guiding organizations on how to fortify their defenses against such attacks. Key recommendations include:
- Enabling detailed logging and forwarding logs to a remote syslog server for centralized monitoring and analysis
- Securing default remote access accounts by restricting access unless utilizing designated profiles
- Blocking connection attempts from known malicious sources
- Implementing interface-level and control plane access control lists to filter out unauthorized IPs initiating VPN sessions
- Utilizing the ‘shun’ command
It is imperative for remote access VPNs to adopt certificate-based authentication and adhere to additional hardening measures provided by Cisco to bolster their security posture against potential threats.
The escalation of these large-scale brute force attacks underscores the critical importance of robust cybersecurity protocols and proactive defense mechanisms to safeguard sensitive data and networks from malicious intrusions.
Image/Photo credit: source url