BleepingComputer reports that numerous remote access VPN services were observed by Cisco to have been targeted by password-spraying attacks suspected to be part of a reconnaissance operation.
Organizations should mitigate such attacks by activating remote syslog server logging, transferring unused default connection profiles to a sinkhole AAA server, and filtering unauthorized public IP addresses through control-plane ACL configurations, as well as using TCP shun and certificate-based RAVPN certification, according to Cisco.
Such attacks may be part of a Brutus botnet malware campaign that initially targeted Cisco, Fortinet, SonicWall, and Palo Alto Networks SSL VPN appliances before attacking Active Directory-based web apps, noted security researcher Aaron Martin, who discovered the botnet alongside analyst Chris Grube.
More than 20,000 unique IP addresses around the world are being leveraged by the Brutus botnet, which enables IP rotation every six attempts in a bid to conceal malicious activity, according to Martin, who noted that two IPs used by the botnet were linked to Russian cyberespionage threat operation APT29, also known as NOBELIUM, Cozy Bear, and Midnight Blizzard.
