Cisco Talos Alerts on Global Surge of Brute-Force Attacks: TOR Exit Nodes and Anonymizing Tunnels Identified as Origins

Cisco Talos, along with the Duo Security Research team, extends its gratitude to Brandon White, Phillip Schafer, Mike Moran, and Becca Lynch for their groundbreaking research that has uncovered a concerning trend in cyberattacks.

Since March 18, 2024, Cisco Talos has been closely monitoring a significant rise in brute-force attacks targeting various entities globally. These attacks are directed towards Virtual Private Network (VPN) services, web application authentication interfaces, and SSH services, posing a serious threat to cybersecurity.

What's particularly alarming is that these attacks are emanating from TOR exit nodes, as well as a spectrum of other anonymizing tunnels and proxies. This sophisticated approach to conceal the attackers' identities makes it challenging to trace and thwart these malicious activities effectively.

The repercussions of successful attacks of this nature can be severe, ranging from unauthorized network access and account lockouts to potential denial-of-service (DoS) scenarios. As the frequency of these attacks continues to escalate, it's imperative for organizations to fortify their defenses and remain vigilant against evolving threats.

While the list of known affected services includes VPN services, web authentication interfaces, and SSH services, it's crucial to note that these attacks may extend to other services as well. Organizations across various sectors must be proactive in implementing robust security measures to mitigate the risks posed by these brute-force attacks.

Depending on the target environment, successful attacks of this type may lead to unauthorized network access, account lockouts, or denial-of-service conditions. The traffic related to these attacks has increased with time and is likely to continue to rise. Known affected services are listed below. However, additional services may be impacted by these attacks. 

• Cisco Secure Firewall VPN 
• Checkpoint VPN  
• Fortinet VPN  
• SonicWall VPN  
• RD Web Services 
• Miktrotik 
• Draytek 
• Ubiquiti 

The brute-forcing attempts use generic usernames and valid usernames for specific organizations. The targeting of these attacks appears to be indiscriminate and not directed at a particular region or industry. The source IP addresses for this traffic are commonly associated with proxy services, which include, but are not limited to:  

• TOR   
• VPN Gate  
• IPIDEA Proxy  
• BigMama Proxy  
• Space Proxies  
• Nexus Proxy  
• Proxy Rack 

Cisco Talos remains committed to monitoring and analyzing these threats, collaborating with industry experts, and providing timely insights and solutions to safeguard digital infrastructures against emerging cyber threats.

https://blog.talosintelligence.com/large-scale-brute-force-activity-targeting-vpns-ssh-services-with-commonly-used-login-credentials/