For a month now, hackers have been conducting a large-scale credential stuffing attack on multiple Virtual Private Network (VPN) instances around the world. At this point it’s hard to say who is behind the attack, or what the motives are, but investigators have some clues.
As reported by Ars TechnicaCisco’s Talos security team recently alerted them to an ongoing campaign where attackers continue to try more than 2,000 usernames and around 100 passwords against different VPNs. Some of the products in the attackers’ crosshairs include Cisco Secure Firewall VPN, Checkpoint VPN, Fortinet VPN, SonicWall VPN, RD Web Services, Mikrotik, Draytek, and Ubiquiti, but others could also be targeted.
The victims are spread across the world and operate in different industries, leading researchers to conclude that the attackers do not have a preferred target, but rather cast as wide a net as possible.
Growing in strength
“Depending on the target environment, successful attacks of this type can lead to unauthorized network access, account lockout, or denial-of-service conditions,” the researchers said in their report. “Traffic associated with these attacks has increased over time and will likely continue to increase.”
While the evidence is inconclusive, researchers believe this could be the work of the same threat actor who targeted Cisco a few weeks ago. They base this assumption on the facts that there are “technical overlaps” in the way the attacks were carried out, and that the same infrastructure was used in both cases. In the Cisco campaign the goal was reconnaissance, so the speculation is that it will be the same this time.
The IP addresses found in the previous attack have already been added to Cisco’s block list for its VPN, and organizations concerned about these attacks are advised to do the same for any third-party VPN they have deployed.