Attackers attack networks around the world with millions of login attempts

Enlarge Matejmo | Getty Pictures

Cisco Talos security team East warning of A large scale credentials compromise campaign It is without discernment assailant networks with to log in attempts aiming has earn unauthorized to access has VPN, SSH, And the Web application accounts.

THE to log in attempts to use both generic usernames And valid usernames target has specific organizations. Cisco included A list of more that 2,000 usernames And almost 100 Passwords used In THE the attacks, along with almost 4,000 IP addresses Sending in progress THE to log in traffic. THE IP addresses appear has arise from Since TOR exit knots And other anonymize tunnels And proxies. THE attacks appear has be without discernment And opportunistic instead that aiming has A particular region Or industry.

"Depending, depending on THE target environment, successful attacks of This type can lead has unauthorized network to access, account lockouts, Or denied service terms," Talos researchers wrote Tuesday. "THE traffic related has these attacks has increase with time And East likely has continue has get up."

THE attacks began No later that March 18.

Tuesday's advisory come three weeks After Cisco warned of A similar attack campaign. Cisco describe that A as A password spray directed has remote to access VPN Since Cisco And third party suppliers connected has Cisco firewall. This campaign appeared has be related has acknowledgement efforts, THE business said.

THE attacks included hundreds of thousands Or millions of rejected authentication attempts. Cisco went on has say that users can intermittently receive A error message that States, "Unable has complete connection. Cisco Secure Desk not installed on THE customer." To log in attempts resulting In THE error fail has complete THE VPN connection process. THE report Also reported "symptoms of host analysis token allocation chess. »

A Cisco representative said business researchers Currently don't do it to have evidence has conclusively link THE activity In both instances has THE even threat actor but that there are technical overlaps In THE path THE attacks were door out, as GOOD as THE Infrastructure that was used.

Talos said Tuesday that services target In THE campaign include, but are not limit to:

Cisco Secure Firewall VPN Checkpoint VPN Fortinet VPN Sonic wall VPN DR the Web Services Mikrotik Draytek Ubiquiti.

Anonymization IP appeared has belong has services, including:

TOR VPN Grid IPIDEA Proxy Big mama Proxy Space Powers of attorney Link Proxy Proxy Shelf.

Cisco has Already added THE list of IP addresses mentioned earlier has A block list For It is VPN offerings. Organizations can add THE addresses has block lists For any of them third party VPN they are using. A complete list of indications of compromise East here.

Cisco has Also provided A list of recommendations For to prevent THE attacks Since succeed. THE advice includes:

Activation detailed registration, ideally has A remote system log server SO that administrators can recognize And correlative attacks through miscellaneous network endpoints Security default remote to access accounts by chasm them unless they to use THE Default RA Group And Default WEBVPN group profiles Blocking connection attempts Since known malicious sources Implement at the interface level And