CyberSecurity news

FlagThis - #bruteforce

@gbhackers.com //

Massive Brute Force Attack Targets VPNs and Firewalls - A large-scale brute force password attack is targeting web login pages of edge devices, including firewalls and VPNs from Palo Alto Networks, Ivanti, and SonicWall, originating from approximately 2.8 million IP addresses, primarily from Brazil.
A massive brute force password attack is currently targeting a wide range of networking devices, including VPNs and firewalls from Palo Alto Networks, Ivanti, and SonicWall. The attack, which began recently, utilizes almost 2.8 million IP addresses in an attempt to guess the credentials for these devices. Once access is gained, threat actors can hijack devices or gain access to entire networks.

A brute force attack involves repeatedly attempting to log into an account or device using numerous username and password combinations until the correct one is discovered. This type of attack highlights the importance of strong, unique passwords and multi-factor authentication to protect sensitive systems and data from unauthorized access. The attack was first reported by BleepingComputer on February 8, 2025.

Recommended read:
References :
  • BleepingComputer: A large-scale brute force password attack using almost 2.8 million IP addresses is underway, attempting to guess the credentials for a wide range of networking devices, including those from  Palo Alto Networks, Ivanti, and SonicWall.
  • www.bleepingcomputer.com: Massive brute force attack uses 2.8 million IPs to target VPN devices
  • Anonymous ???????? :af:: A large-scale brute force password attack using almost 2.8 million IP addresses is underway
  • BleepingComputer: Massive brute force attack uses 2.8 million IPs to target VPN devices
  • Troy Hunt: Infosec.exchange post about the large-scale brute-force attack targeting networking devices.
  • bsky.app: BleepingComputer post on the brute-force attack targeting Palo Alto, Ivanti and Sonicwall devices.
  • bsky.app: BleepingComputer mentions the attack in a news summary.
  • www.scworld.com: Millions of IP addresses leveraged in ongoing brute force intrusion
  • gbhackers.com: Massive brute force attacks targeting VPNs and firewalls have surged in recent weeks, with cybercriminals using as many as 2.8 million unique IP addresses daily to conduct relentless login attempts.
  • securityboulevard.com: Security Boulevard report on Major brute force attack
@cyberalerts.io //

Attackers Target Over 4000 IP Addresses of US, China ISPs - Cyber campaign targets Internet Service Provider (ISP) infrastructure providers on the West Coast of the United States and in China using brute-force tactics to deploy information stealers and crypto miners.
The Splunk Threat Research Team has revealed a widespread cyber campaign specifically targeting Internet Service Provider (ISP) infrastructure providers on the West Coast of the United States and in China. Over 4,000 ISP-related IP addresses were explicitly targeted. This mass exploitation campaign involves the deployment of information stealers and crypto miners on compromised systems.

The attack leverages brute-force tactics to exploit weak credentials, gaining initial access to the targeted networks. Once inside, the attackers deploy cryptomining and info-stealing malware. This campaign is believed to have originated from Eastern Europe, highlighting the global nature of cyber threats and the importance of robust security measures for critical infrastructure providers.

Recommended read:
References :
  • Virus Bulletin: The Splunk Threat Research Team has identified a campaign targeting ISP infrastructure providers. This mass exploitation campaign led to cryptomining and infostealer payloads. The main vector & initial access is driven by using well known weak credentials.
  • securityaffairs.com: Mass exploitation campaign hit 4,000+ ISP networks to deploy info stealers and crypto miners
  • thehackernews.com: Over 4,000 ISP IPs Targeted in Brute-Force Attacks to Deploy Info Stealers and Cryptominers
  • Information Security Buzz: The Splunk Threat Research Team has uncovered a widespread cyber campaign targeting Internet Service Provider (ISP) infrastructure providers on the West Coast of the United States and in China. Over 4,000 ISP-related IPs were explicitly targeted in this campaign.
  • securityaffairs.com: Mass exploitation campaign hit 4,000+ ISP networks to deploy info stealers and crypto miners
SC Staff@scmagazine.com //

FastHTTP Used in High-Speed Microsoft 365 Attacks - Hackers are using the FastHTTP library in Go to perform high-speed brute-force password attacks against Microsoft 365 accounts, with a 9.7% success rate.
Hackers are exploiting the FastHTTP library, written in Go, to conduct rapid brute-force password attacks against Microsoft 365 accounts worldwide. These attacks are characterized by generating a high volume of HTTP requests aimed at Azure Active Directory endpoints. The technique leverages the high-performance nature of FastHTTP to accelerate credential-based attacks. SpearTip, an incident response firm, reported that this malicious activity began on January 6th, 2025. Analysis reveals a significant portion of the attack traffic originates from Brazil, with other countries like Turkey, Argentina, Uzbekistan, and Pakistan also involved.

These attacks primarily target the Azure Active Directory Graph API, utilizing the 'fasthttp' user agent. While most attempts failed due to authentication failures, locked accounts, and policy violations, a concerning 9.7% of attacks resulted in successful account takeovers. The attacks involved brute-force and multi-factor authentication fatigue attempts. Security experts recommend that administrators promptly assess potential compromises, manually verify user agents through the Azure portal, immediately expire user sessions, and reset account credentials upon detecting any suspicious activity. They also recommend a review of MFA devices linked to potentially compromised accounts.

Recommended read:
References :
  • cyberpress.org: Hackers Using ‘Fast HTTP’ in Targeting Microsoft 365 Password Stealing Attack
  • BleepingComputer: Threat actors are utilizing the FastHTTP Go library to launch high-speed brute-force password attacks targeting Microsoft 365 accounts globally.
  • www.bleepingcomputer.com: Hackers use FastHTTP in new high-speed Microsoft 365 password attacks
  • www.scworld.com: Advanced Microsoft 365-targeted brute-force attacks enabled by FastHTTP
@github.com //

Nextcloud Brute-Force Handling Issues - Nextcloud users are experiencing issues with the brute-force protection mechanism, including false positives and lack of configurability, leading to lockouts.
Nextcloud users are reporting significant issues with the platform's brute-force protection mechanism, which is designed to safeguard against unauthorized access attempts. Users have been locked out of their servers due to what they believe are false positives. These lockouts occur when the system incorrectly identifies legitimate login attempts or other normal activity as brute-force attacks, causing frustration and disruption for users. The current settings lack the granularity needed to fine-tune the system to prevent these issues, forcing some to completely disable the protection feature, leaving their systems potentially vulnerable.

Some users have cited cases where devices on a home network, sharing an external IP address, are locked out even when using correct credentials. This highlights a need for the system to better understand normal traffic patterns and distinguish between genuine threats and ordinary usage, particularly in shared IP environments. There are calls to improve the configurability of the brute-force handling, to allow for more control over thresholds and behavior. This will help to minimize lockouts, offer more granular user control and ultimately ensure that the brute-force detection mechanism does not impede on legitimate users of the Nextcloud platform.

Recommended read:
References :

Blogs

Research Tools