For a month now, hackers have been mounting a large-scale credential stuffing attack against multiple Virtual Private Network (VPN) instances around the world. At the moment, it’s hard to say who is behind the attack, or what the motives are, but researchers have some clues.
As reported by Ars Technica, Cisco’s Talos security team recently warned of an ongoing campaign in which attackers keep trying more than 2,000 usernames and some 100 passwords against different VPNs. Some of the products in the attackers’ crosshairs include Cisco Secure Firewall VPN, Checkpoint VPN, Fortinet VPN, SonicWall VPN, RD Web Services, Mikrotik, Draytek, and Ubiquiti, however others could be targeted, as well.
The victims are scattered all over the world, and operate in various verticals, prompting the researchers to conclude that the attackers don’t have a preferred target, but are rather casting as wide of a net as possible.
Growing in strength
“Depending on the target environment, successful attacks of this type may lead to unauthorized network access, account lockouts, or denial-of-service conditions,” the researchers said in their report. “The traffic related to these attacks has increased with time and is likely to continue to rise.”
While the evidence is inconclusive, the researchers believe this could be the work of the same threat actor that targeted Cisco a few weeks back. They are basing this assumption on the facts that there are “technical overlaps” in how the attacks were conducted, and that in both instances, the same infrastructure was used. In the Cisco campaign, the goal was reconnaissance, so the speculation is that it’s the same this time around.
The IP addresses found from the previous attack were already added to Cisco’s block list for its VPN, and organizations worried about these attacks are advised to do the same, for any third-party VPN they have deployed.