Recent findings from Cisco's Talos security team have unveiled a significant threat to network security through a sophisticated credential compromise campaign. As reported by ARS Technica, this extensive campaign is currently making waves across various organizational networks, focusing on VPNs, SSH, and web applications.
Details of the Attack: The attackers are using a combination of generic and organization-specific usernames in their login attempts, along with nearly a hundred passwords. Over 2,000 usernames and approximately 4,000 IP addresses have been identified as part of this assault. The origins of these IP addresses trace back to TOR exit nodes and other services designed to mask user identities, such as VPN Gate and IPIDEA Proxy.
Impact and Scope: According to Talos researchers, the impacts of these attacks can vary dramatically from unauthorized network access and account lockouts to potential denial-of-service conditions. This indicates an indiscriminate approach, targeting a broad spectrum of networks without specific regional or industrial focus. The frequency and intensity of these attempts have escalated over time, with the attacks beginning as early as March 18.
Previous Warnings and Ongoing Threats: This advisory follows a similar alert issued by Cisco three weeks prior, which described a password spray attack affecting remote access VPNs. Although both campaigns share technical similarities and potentially overlapping infrastructures, Cisco researchers have not definitively linked them to a single threat actor.
Targeted Services: The services targeted in these attacks include, but are not limited to, various high-profile VPN providers like Cisco Secure Firewall VPN, Checkpoint VPN, and Fortinet VPN, as well as other critical network services from companies such as SonicWall, Mikrotik, and Ubiquiti.
Defensive Measures Recommended by Cisco: To mitigate these threats, Cisco has recommended several measures:
- Enabling detailed logging to a remote syslog for better attack correlation across network endpoints.
- Securing default remote access accounts and blocking known malicious IP addresses.
- Implementing interface-level and control plane access control lists to prevent unauthorized public IPs from initiating VPN sessions.
- Encouraging the use of certificate-based authentication for remote access VPNs.
Additionally, implementing Two-Factor Authentication (2FA) is indeed one of the most effective measures organizations can take to enhance security and mitigate the risks associated with credential compromise campaigns. Here are some additional mitigation strategies that can complement the use of 2FA and enhance overall network security:
- Two-Factor Authentication (2FA):
- Implement 2FA across all critical systems, especially for VPN access, remote desktop services, and administrative accounts. This requires users to provide two forms of identification: something they know (a password) and something they have (a token or mobile app notification).
- Use of Strong, Unique Passwords:
- Encourage or enforce policies that require the use of strong, unique passwords for each service. Utilize password managers to help users maintain and manage these passwords securely.
- Regular Updates and Patch Management:
- Ensure that all systems are regularly updated with the latest security patches. This includes operating systems, applications, and firmware on devices like routers and firewalls.
- Advanced Endpoint Detection and Response (EDR):
- Deploy EDR solutions that can detect, block, and respond to threats automatically. These tools can often identify suspicious behavior related to credential misuse or brute force attempts.
- User and Entity Behavior Analytics (UEBA):
- Implement UEBA to monitor for abnormal user behaviors that could indicate compromised accounts. UEBA systems use machine learning to spot deviations from normal activity patterns.
- Network Segmentation:
- Segment the network to limit the blast radius of any potential intrusion. By segregating networks, sensitive data and critical systems can be isolated from the parts of the network most susceptible to attack.
- Security Awareness Training:
- Regularly train employees on security best practices, including recognizing phishing attempts and safely handling credentials. Education is key to preventing security breaches from the inside.
- Multi-layered Security Approach:
- Deploy a variety of security measures such as firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS). A layered security approach reduces the risk of unauthorized access.
- Regular Security Audits and Penetration Testing:
- Conduct regular security audits and penetration tests to identify and address vulnerabilities. This helps in understanding potential attack vectors and in reinforcing defense mechanisms.
- Incident Response Plan:
- Develop and regularly update an incident response plan. This plan should include procedures for dealing with credential compromises and should be practiced regularly through drills.
These strategies, combined with the ones previously outlined by Cisco, can provide a robust defense against large-scale credential compromise campaigns and other cyber threats.
Organizations are advised to take immediate action by incorporating Cisco’s recommendations and updating their security protocols to defend against these escalating threats. Staying informed and prepared is the best defense against such widespread and indiscriminate attacks.
For further details and updates on the situation, organizations should refer to the full report provided by Cisco and stay tuned to updates from reliable sources like ARS Technica.