Cisco’s threat intelligence unit is warning of a surge in in brute-force attacks targeting various services including Virtual Private Networks (VPNs), web application authentication interfaces, and SSH services. The malicious activity has been on the rise since at least March 18, 2024.

According to Cisco Talos, the attacks come from TOR exit nodes and other anonymizing tunnels and proxies.

According to the advisory, the affected services include Cisco Secure Firewall VPN, Checkpoint VPN, Fortinet VPN, and SonicWall VPN. Additionally, web services like RD Web Services, Miktrotik, Draytek, and Ubiquiti have also been targeted by the observed brute-force attempts.

These attacks involve the use of both generic usernames and valid usernames associated with specific organizations. The nature of the targeting suggests that attackers are opportunistic and are not focused on any particular region or industry.

The consequences of a successful attack can range from unauthorized network access and account lockouts to denial-of-service conditions. Notably, the volume of traffic related to these attacks has been steadily increasing and is predicted to continue rising in the foreseeable future.

The source IP addresses associated with this malicious activity commonly originate from proxy services such as TOR, VPN Gate, IPIDEA Proxy, BigMama Proxy, Space Proxies, Nexus Proxy, and Proxy Rack.