Continued widespread dictionary / brute force attacks
Over the past two weeks, we have seen a significant spike in the number of brute force attacks against SSL VPN endpoints and VPN web portals. Initially, the traffic was coming from several hundred IP Addresses but we were pretty quickly able to distill it down to about 47 netblocks from two geographic areas (Russian Federation and China). All of the login attempts were failing and in the initial set of login attempts the usernames were varied and included admin, administrator, vpnuser, sslvpn, backup, user, sales and others. This most recent set of attempts though were for admin and administrator and, after distilling the data down we saw a new pattern emerge. A very small number of the attempts are now coming from domestic IP Addresses and, specifically, some of…