CyberSecurity news

FlagThis - #BruteForce

@gbhackers.com - 25d

Massive Brute Force Attack Targets VPNs and Firewalls - A large-scale brute force password attack is targeting web login pages of edge devices, including firewalls and VPNs from Palo Alto Networks, Ivanti, and SonicWall, originating from approximately 2.8 million IP addresses, primarily from Brazil.
A massive brute force password attack is currently targeting a wide range of networking devices, including VPNs and firewalls from Palo Alto Networks, Ivanti, and SonicWall. The attack, which began recently, utilizes almost 2.8 million IP addresses in an attempt to guess the credentials for these devices. Once access is gained, threat actors can hijack devices or gain access to entire networks.

A brute force attack involves repeatedly attempting to log into an account or device using numerous username and password combinations until the correct one is discovered. This type of attack highlights the importance of strong, unique passwords and multi-factor authentication to protect sensitive systems and data from unauthorized access. The attack was first reported by BleepingComputer on February 8, 2025.

Recommended read:
References :
  • BleepingComputer: A large-scale brute force password attack using almost 2.8 million IP addresses is underway, attempting to guess the credentials for a wide range of networking devices, including those from  Palo Alto Networks, Ivanti, and SonicWall.
  • www.bleepingcomputer.com: Massive brute force attack uses 2.8 million IPs to target VPN devices
  • Anonymous ???????? :af:: A large-scale brute force password attack using almost 2.8 million IP addresses is underway
  • BleepingComputer: Massive brute force attack uses 2.8 million IPs to target VPN devices
  • Troy Hunt: Infosec.exchange post about the large-scale brute-force attack targeting networking devices.
  • bsky.app: BleepingComputer post on the brute-force attack targeting Palo Alto, Ivanti and Sonicwall devices.
  • bsky.app: BleepingComputer mentions the attack in a news summary.
  • www.scworld.com: Millions of IP addresses leveraged in ongoing brute force intrusion
  • gbhackers.com: Massive brute force attacks targeting VPNs and firewalls have surged in recent weeks, with cybercriminals using as many as 2.8 million unique IP addresses daily to conduct relentless login attempts.
  • securityboulevard.com: Security Boulevard report on Major brute force attack
@cyberalerts.io - 2d

ISPs Targeted in Mass Exploitation for Crypto Miners - A mass exploitation campaign targets ISPs in China and the U.S. West Coast, deploying information stealers and crypto miners by exploiting weak credentials.
A mass exploitation campaign has targeted internet service providers (ISPs) in China and the U.S. West Coast, resulting in the deployment of information stealers and cryptocurrency miners. The Splunk Threat Research Team identified over 4,000 ISP IPs targeted in these brute-force attacks, exploiting weak credentials to gain initial access. Attackers are leveraging this access to deploy payloads designed for data exfiltration and establishing persistence within compromised systems.

The attacks involve minimal intrusive operations to avoid detection, primarily using scripting languages like Python and PowerShell for command-and-control (C2) operations via Telegram. Upon gaining access, attackers deploy executables via PowerShell for network scanning, information theft, and XMRig cryptocurrency mining. The deployed stealer malware captures screenshots and steals clipboard content, searching for cryptocurrency wallet addresses, with gathered information exfiltrated to a Telegram bot. The attackers specifically targeted CIDRs of ISP infrastructure providers using a masscan tool to identify open ports and conduct credential brute-force attacks.

Recommended read:
References :
  • Virus Bulletin: The Splunk Threat Research Team has identified a campaign targeting ISP infrastructure providers. This mass exploitation campaign led to cryptomining and infostealer payloads. The main vector & initial access is driven by using well known weak credentials.
  • securityaffairs.com: Mass exploitation campaign hit 4,000+ ISP networks to deploy info stealers and crypto miners
  • thehackernews.com: Over 4,000 ISP IPs Targeted in Brute-Force Attacks to Deploy Info Stealers and Cryptominers
SC Staff@scmagazine.com - 48d

FastHTTP Used in High-Speed Microsoft 365 Attacks - Hackers are using the FastHTTP library in Go to perform high-speed brute-force password attacks against Microsoft 365 accounts, with a 9.7% success rate.
Hackers are exploiting the FastHTTP library, written in Go, to conduct rapid brute-force password attacks against Microsoft 365 accounts worldwide. These attacks are characterized by generating a high volume of HTTP requests aimed at Azure Active Directory endpoints. The technique leverages the high-performance nature of FastHTTP to accelerate credential-based attacks. SpearTip, an incident response firm, reported that this malicious activity began on January 6th, 2025. Analysis reveals a significant portion of the attack traffic originates from Brazil, with other countries like Turkey, Argentina, Uzbekistan, and Pakistan also involved.

These attacks primarily target the Azure Active Directory Graph API, utilizing the 'fasthttp' user agent. While most attempts failed due to authentication failures, locked accounts, and policy violations, a concerning 9.7% of attacks resulted in successful account takeovers. The attacks involved brute-force and multi-factor authentication fatigue attempts. Security experts recommend that administrators promptly assess potential compromises, manually verify user agents through the Azure portal, immediately expire user sessions, and reset account credentials upon detecting any suspicious activity. They also recommend a review of MFA devices linked to potentially compromised accounts.

Recommended read:
References :
  • cyberpress.org: Hackers Using ‘Fast HTTP’ in Targeting Microsoft 365 Password Stealing Attack
  • BleepingComputer: Threat actors are utilizing the FastHTTP Go library to launch high-speed brute-force password attacks targeting Microsoft 365 accounts globally.
  • www.bleepingcomputer.com: Hackers use FastHTTP in new high-speed Microsoft 365 password attacks
  • www.scworld.com: Advanced Microsoft 365-targeted brute-force attacks enabled by FastHTTP
@github.com - 51d

Nextcloud Brute-Force Handling Issues - Nextcloud users are experiencing issues with the brute-force protection mechanism, including false positives and lack of configurability, leading to lockouts.
Nextcloud users are reporting significant issues with the platform's brute-force protection mechanism, which is designed to safeguard against unauthorized access attempts. Users have been locked out of their servers due to what they believe are false positives. These lockouts occur when the system incorrectly identifies legitimate login attempts or other normal activity as brute-force attacks, causing frustration and disruption for users. The current settings lack the granularity needed to fine-tune the system to prevent these issues, forcing some to completely disable the protection feature, leaving their systems potentially vulnerable.

Some users have cited cases where devices on a home network, sharing an external IP address, are locked out even when using correct credentials. This highlights a need for the system to better understand normal traffic patterns and distinguish between genuine threats and ordinary usage, particularly in shared IP environments. There are calls to improve the configurability of the brute-force handling, to allow for more control over thresholds and behavior. This will help to minimize lockouts, offer more granular user control and ultimately ensure that the brute-force detection mechanism does not impede on legitimate users of the Nextcloud platform.

Recommended read:
References :

Blogs

Research Tools