Tag: targeting

Credential spraying from thousands of IP addresses are targeting VPNs, Cisco warns

Post author By lisa nichols
Post date April 18, 2024
No Comments on Credential spraying from thousands of IP addresses are targeting VPNs, Cisco warns

[ad_1]

For a month now, hackers have been mounting a large-scale credential stuffing attack against multiple Virtual Private Network (VPN) instances around the world. At the moment, it’s hard to say who is behind the attack, or what the motives are, but researchers have some clues.

As reported by Ars Technica, Cisco’s Talos security team recently warned of an ongoing campaign in which attackers keep trying more than 2,000 usernames and some 100 passwords against different VPNs. Some of the products in the attackers’ crosshairs include Cisco Secure Firewall VPN, Checkpoint VPN, Fortinet VPN, SonicWall VPN, RD Web Services, Mikrotik, Draytek, and Ubiquiti, however others could be targeted, as well.

The victims are scattered all over the world, and operate in various verticals, prompting the researchers to conclude that the attackers don’t have a preferred target, but are rather casting as wide of a net as possible.

Growing in strength

“Depending on the target environment, successful attacks of this type may lead to unauthorized network access, account lockouts, or denial-of-service conditions,” the researchers said in their report. “The traffic related to these attacks has increased with time and is likely to continue to rise.”

While the evidence is inconclusive, the researchers believe this could be the work of the same threat actor that targeted Cisco a few weeks back. They are basing this assumption on the facts that there are “technical overlaps” in how the attacks were conducted, and that in both instances, the same infrastructure was used. In the Cisco campaign, the goal was reconnaissance, so the speculation is that it’s the same this time around.

The IP addresses found from the previous attack were already added to Cisco’s block list for its VPN, and organizations worried about these attacks are advised to do the same, for any third-party VPN they have deployed.

Cisco alerts users to password-spraying attacks targeting VPN services

Post author By lisa nichols
Post date March 29, 2024
No Comments on Cisco alerts users to password-spraying attacks targeting VPN services

[ad_1]

Networking giant Cisco has warned its users of an ongoing attack against its business VPN services.

In a security advisory, Cisco said it had been notified of an ongoing password-spraying attack against different third-party VPN concentrators.

In this instance, it was Remote Access VPN (RAVPN) services configured on Cisco Secure Firewall that were affected.

Russian attackers

“Depending on your environment, the attacks can cause accounts to be locked, resulting in Denial of Service (DoS)-like conditions,” Cisco explained, saying that the activity appears to be a reconnaissance effort. The threat actors were not named.

Password spraying is a type of attack in which the threat actor tries the same password with multiple accounts, until one combination works.

Listing its set of defenses and mitigations, Cisco recommended enabling logging to a remote syslog server for improved correlation and auditing of network and security incidents across various network devices; securing default remote access VPN profiles by pointing unused default connection profiles to sinkhole AAA servers; leveraging TCP shun to manually bloc dangerous IP addresses, configuring control-place ACLs to block unauthorized public IP addresses from running VPN sessions; and using certificate-based authentication for RAVPN.

Security researcher Aaron Martin claims the attack was likely the work of an undocumented malware botnet named Brutus.

He made the connection after observing the malware’s targeting scope and attack patterns, it was said. In his analysis of the botnet, Martin said it counts some 20,000 IP addresses worldwide. At first, the attacks targeted SSLVPN appliances from Fortinet, Palo Alto, SonicWall, and Cisco, but have since evolved to include web apps using Active Directory for authentication, too.

To avoid raising any flags, Brutus rotates its IPs every six attempts.

Although inconclusive, some evidence points to Brutus being the work of APT29, an infamous Russian state-sponsored threat actor.

Via BleepingComputer

A new ZenHammer attack is targeting more AMD CPUs

Post author By lisa nichols
Post date March 26, 2024
No Comments on A new ZenHammer attack is targeting more AMD CPUs

[ad_1]

The infamous Rowhammer DRAM attack can now be pulled off on some AMD CPUs as well, academic researchers from ETH Zurich have proved.

As reported by BleepingComputer, the researchers dubbed the attack ZenHammer, after cracking the complex, non-linear DRAM addressing functions in AMD platforms.

For the uninitiated, the Rowhammer DRAM attack revolves around changing data in Dynamic Random Access-Memory (DRAM), by repeatedly “hammering”, or accessing, specific rows of memory cells. Memory cells keep information as electric charges. These charges determine the value of the bits, which can either be a 0, or a 1. As the density of the memory cells in today’s chips is fairly big, “hammering” can alter the state in adjacent rows, or “flip” the bit. By flipping specific bits, the attackers can pull cryptographic keys, or other sensitive data, BleepingComputer explained.

Purely theoretical?

This means that AMD has joined Intel and ARM CPUs who were already known to be vulnerable to hammering attacks.

The researchers tested their theory on different platforms. For AMD Zen 2, they were successful 70% of the time. For AMD Zen 3, 60%. For AMD Zen 4, however, they were only successful 10% of the time, suggesting that “the changes in DDR5 such as improved Rowhammer mitigations, on-die error correction code (ECC), and a higher refresh rate (32 ms) make it harder to trigger bit flips.”

While usually academic research is purely theoretical, the researchers said this attack could be pulled off in the real world, too. They simulated successful attacks targeting the system’s security, and manipulating page table entries for unauthorized memory access.

Those fearing ZenHammer, it’s important to stress that these types of attacks are quite difficult to pull off. What’s more, there are patches and mitigations. Earlier this week, AMD released a security advisory with mitigation options.