X-Industry

Brute Force Password Attack

Posted by Bill Schenkelberg on February 19, 2025 at 8:00am

13459032282?profile=RESIZE_400xA large-scale brute-force password attack involving nearly 2.8 million IP addresses daily attempts to compromise millions of VPN devices from various companies including Palo Alto Networks, Ivanti, and SonicWall.  Brute force attacks involve threat actors attempting to guess username and password combinations until they find the correct one.  The campaign is highly automated, suggesting the potential involvement of malware or botnets.

Ongoing password attack campaign targets VPN devices - The Shadowserver Foundation, which detected the month-long password attack campaign, says the attacks originate from various countries mostly Brazil (1.1 million IPs), Turkey, Russia, Argentina, Morocco, and Mexico.  Other countries are also involved although at a much smaller scale.[1]

The IP addresses spread across many networks and autonomous systems, suggesting the potential use of residential proxies as exit nodes to conceal malicious activity.  “By using so many IP addresses that are scattered throughout the globe to carry out these attacks, the cybercriminals can make it extremely difficult for defenders to stop the brute force attacks attempting to pierce the protections put in place by targeted organizations,” explained said Erich Kron, Security Awareness Advocate at KnowBe4.  “These source IP addresses are often from individual computers infected with malware, IoT devices that have been compromised, or out-of-date consumer routers or internet-facing devices that attackers have already taken over.”

Shadowserver also determined that the password attack campaign leverages botnet or malware-infected MikroTik, Huawei, Cisco, Boa, and ZTE routers and IoT devices.  “Cybercriminals are leveraging compromised routers and IoT devices, many forming part of large malware botnets, to conduct large-scale brute force attempts,” warned Patrick Tiquet, Vice President, Security & Architecture at Keeper Security.

While the campaign gained momentum in January 2025, Shadowserver warns that it was potentially ongoing before it was detected.  ShadowServer could also not determine the target of the campaign, suggesting it could be opportunistic.  Similarly, the threat actor’s identity remains unreported, although state-sponsored malicious actors are notorious for targeting VPN devices to compromise organizations and government agencies.

In January 2024, cybersecurity firm Volexity identified multiple Chinese state-linked hackers, including UTA0178, compromising Ivanti Connect Secure VPN Appliances via security vulnerabilities CVE-2023-46805 and CVE-2024-21887 to gain remote code execution capabilities.

To protect their VPN devices from the password attack campaign, users should replace their default login credentials with a unique and strong passphrase that is difficult to guess.  They should also enable multi-factor authentication, whitelist trusted IPs, and disable web admin interfaces from being accessible over the Internet.  “Changing passwords is a critical first step, but it’s not enough on its own.  Multi-factor authentication (MFA) is essential, adding an extra layer of security through biometrics, security keys, or Time-Based One-Time Password (TOTP).  Adaptive MFA further strengthens defenses by detecting suspicious login behavior and requiring extra verification,” Tiquet added.

Similarly, applying the latest firmware and software updates would eliminate exploited vulnerabilities that threat actors could exploit to gain access. Additionally, they should monitor logs for suspicious logins which could indicate potential compromise.  Multiple rejected authentication attempts could also indicate potential brute force attacks.  Network defenders should also implement perimeter security with zero trust to prevent malicious actors from taking over their VPN devices.

Password attack campaigns in the past - This is hardly the first time a password attack campaign targeting edge VPN devices has been detected in the wild.  In April 2024, Cisco detected a similar brute force campaign targeting Cisco, CheckPoint, Fortinet, SonicWall, Miktrotik, RD Web Services, Draytek, and Ubiquiti devices.  “VPNs are a great target for bad actors because, in a corporate world, they can lead to direct access to the network behind the protection of firewalls and other edge security devices,” Kron said.

While the final objective of this campaign remains unclear, Cisco said the password attack campaign resulted in distributed denial of service (DDoS) in some cases.  Although DDoS might not be the primary motive, password spraying attacks result in denial of service due to resource exhaustion and CPU overload.  “If these bad actors are able to guess or brute force the VPN password, cybercriminals could attempt anything from data theft to ransomware, or more,” Kron continued.  “In many cases, cybercriminals could simply sell this network access to other bad actors as well, pocketing the cash and letting the buyer do whatever nefarious deeds they would like.”

In October 2024, Microsoft also observed multiple Chinese threat actors, including suspected state-linked actor Storm-0940, using the Quad7 (7777, CovertNetwork-1658, or xlogin) botnet to steal routers’ login credentials through password-spraying attacks.

In December of 2024, Citrix reported a password attack campaign targeting its Netscaler VPN devices worldwide.  The German Federal Office for Information Security (BSI) said the Citrix Netscaler brute force attacks targeted the critical infrastructure of allied nations, suggesting potentially state-sponsored activity.  “Brute force password attacks have long been and will continue to be, a popular method of attacking systems, websites, VPN appliances, and other password-protected devices,” noted Chris Hauk, Consumer Privacy Champion at Pixel Privacy.  “While there are more sophisticated ways to perform attacks, hackers depend on the fact that their targets haven’t been kept updated to the latest software, firmware, or operating system versions, or that the device’s logins aren’t protected with two-factor or multi-factor authentication methods.”

Related Article: https://redskyalliance.org/xindustry/long-passwords-are-better

This article is shared at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC).  For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com    

Weekly Cyber Intelligence Briefings:

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://register.gotowebinar.com/register/5207428251321676122

[1] https://www.cpomagazine.com/cyber-security/brute-force-password-attack-involving-2-8-million-ips-targets-vpn-devices-from-various-companies/

Views: 328
Tags: tr-25-049-001, brute force, passwords, vpn password, uta0178
E-mail me when people leave their comments –
Follow

You need to be a member of Red Sky Alliance to add comments!