Threat Awareness – Global Increase in Brute-Force Attacks Targeting VPNs and SSH Services

A global increase in brute-force attacks has been identified against a variety of targets which include VPN services, web application authentication interfaces, and SSH services since at least March 18, 2024. Cisco Talos is actively monitoring the increase in attacks and is providing details on affected services.

According to Talos, “depending on the target environment, successful attacks of this type may lead to unauthorized network access, account lockouts, or denial-of-service conditions. The traffic related to these attacks has increased with time and is likely to continue to rise.”

Known affected services:

• Cisco Secure Firewall VPN
• Checkpoint VPN 
• Fortinet VPN 
• SonicWall VPN 
• RD Web Services
• Miktrotik
• Draytek
• Ubiquiti

The brute-force attacks are targeting a variety of VPN services, therefore mitigations will vary depending on the affected service. Members are highly encouraged to assess your environment for potentially affected services and address accordingly, including enable logging, secure default remote access VPN profiles, and block connection attempts from malicious sources. Cisco provides additional guidance and recommendations on remote access VPN services in a recent Cisco support blog. For more information, access Cisco Talos.