Brute force attempts on national VPNs: The cybersecurity landscape right now is marked by a series of brute force attacks targeting various platforms, with a worrying focus on VPNs (Virtual Private Networks).
The phenomenon, detected by investigations conducted by our cybersecurity team, shows disturbing characteristics due to the vastness and apparent coordination of the attacks. In fact, analysis showed that these intrusion attempts all came from the same Autonomous System Number (ASN), specifically AS394711 associated with LIMENET.
The attackers manifest a desire to produce little noise with the aim of not being detected; in fact, the source IP addresses vary constantly, they make a limited number of attempts, and, most importantly, there is a delay between requests that results in the absence of any particular spikes related to the frequency of authentication attempts. This makes tracking and mitigating the attack more complex.
This modus operandi suggests an organization and planning behind brute force attempts that cannot be underestimated.
Overview of attempted attacks
Thanks to the advanced monitoring tools of Cyberoo service, we are able to provide a detailed picture of ongoing attacks. Since the beginning of our observations on February 21, 2024, we have identified various VPN terminators as targets, with no specific technological predilection.
Affected devices include: Watchguard FW, Netscaler, Paloalto FW, Cisco VPN e Cisco FTD.
Below are some numerics related to an analysis period of the last 30 days by Cyberoo’s CERT. There are 329 different source IP addresses detected: click HERE to download the full list. The graphics show evidence of the IPs most involved:
Figure 1 – Graphical evidence of the most affected IPs
The investigations carried out were allowed by the partial visibility of a small spike that occurred as, between Feb. 20 and 21, activities that previously seemed constant came to a halt and then resumed. Below is a picture of the trend of access attempts.
Figure 2 – Events of authentication attempts between 20th Feb and 21st Feb
Indeed, the attempts would appear to be repeated and present throughout the month. In the following graph, a snapshot of failed authentication events from LIMENET.
Figure 3 – Events of authentication attempts between 23rd Jan and 21st Feb
Currently, in the past 30 days, from spot checks it would appear that each user has been attempted between about 3,000 and 4,000 times. Attacks of this kind, carried out through such methodologies and procedures as to evade monitoring and defense systems, are many and frequent throughout the Internet.
Affected utilities and recommendations
A more detailed analysis revealed that the targeted users do not appear to follow a particularly sophisticated selection criteria, but rather to make use of common, predominantly English-language credentials. Faced with this scenario, the greatest risk is the use of weak passwords or default credentials that can easily fall victim to these systematic attacks.
Our urgent recommendation is to conduct an immediate audit of your security configurations, making sure you are not using weak or easily guessable passwords. For additional protection, it is suggested to consider applying a DENY rule toward VPN systems and perimeter access from IP associated with ASN AS394711, unless there is a compelling reason to keep such communications open.
Conclusions and perspectives
The discovery of these extensive and coordinated brute force attempts represents a call to action for all organizations nationwide. Despite the defensive measures in place and constant monitoring, the dynamic evolution of these attacks requires continuous vigilance and updating of security policies.
We will continue to monitor the situation closely, reporting any relevant developments. In the meantime, we remain available to support our customers in protecting their critical infrastructure and preventing future attacks. Collaboration and the adoption of cybersecurity practices are critical in defending against risks that threaten the integrity of our networks and data.
