Continued widespread dictionary / brute force attacks

Over the past two weeks, we have seen a significant spike in the number of brute force attacks against SSL VPN endpoints and VPN web portals. Initially, the traffic was coming from several hundred IP Addresses but we were pretty quickly able to distill it down to about 47 netblocks from two geographic areas (Russian Federation and China). All of the login attempts were failing and in the initial set of login attempts the usernames were varied and included admin, administrator, vpnuser, sslvpn, backup, user, sales and others. This most recent set of attempts though were for admin and administrator and, after distilling the data down we saw a new pattern emerge. A very small number of the attempts are now coming from domestic IP Addresses and, specifically, some of the IP Addresses are registered to other MSPs and ASPs with at least one in the Atlanta, GA area. We have reached out to the technical and abuse contacts for all of the domestic IP Addresses that we’re seeing the traffic from but there were two specific things that seemed interesting (to me at least).

  • They are getting access via admin / administrator – The fact that the initial volley of traffic was using a broad range of usernames and we’re now seeing the traffic from many of the same source addresses but only focusing on the usernames “admin” and “administrator” suggest that they had more success with those usernames than the others and have narrowed their attack. Interesting and scary.
  • We are now seeing similar traffic from local data centers / ASPs / MSPs – The initial attack sources were almost exclusively from the Russian Federation and China with no domestic sources (any failed logins from domestic sources earlier came from valid users who just failed to login). Now though, with some of the attack traffic appearing to originate from domestic addresses it seems that some of the attacks were successful against data centers, ASPs and MSPs.

I would be very interested to hear from anyone else that’s seen similar patterns in their environments and if they’ve got any other takeaways from it.

Are you a small to medium sized business looking to leverage technology and enable your business and workforce to work smarter and more efficiently?  Do you already have computers, servers, firewalls, VPNs or other technology that you’re not taking full advantage of?  Are you looking for an IT Service Provider who understands small to medium sized businesses needs and the challenges that we face that can work with you to grow your business rather than just sell you time?

Cyber Tech Cafe an  IT Service Company with a focus on helping small to medium business get the most out of their technology investment.  As a small business ourselves, we understand the challenges you face and have designed our service offerings to help you get the most out of your technology dollar.  We offer on-call, as needed support if you just need a quick fix or extra set of hands right now.  We also offer maintenance plans that we call “MyIT” that are designed to address the most common concerns (patch management, disaster recovery / backup, log review, etc.) that are based on the number of workstations and servers that you have and have no term contract.  We believe that, if you find value in what we’re doing, you’ll find a way to keep us around without contract saying that you have to.

If you have questions about the MyIT plans or have an IT need that you need addressed right now, let us know.  We look forward to the opportunity to earn your business.