SOS Intelligence has recently seen indications of brute-force login activity against VPN services associated with a customer.  

Our research has linked this activity to an Initial Access Broker (IAB), who has recently released access to a brute force scanning tool through their profile on a high-profile cyber-crime forum. 

Thanks to Daniel, our new Threat Intelligence Analyst who has been investigating this. Future flash alerts and intelligence reports will come from Daniel via email. If you would like to get these, you can sign up here.

The IAB has shared information with our Intelligence Team, showing statistics relating to successful logins they have found whilst scanning VPN networks.

This has highlighted a concerning amount of networks accessible using commonly known default login credentials.  However, the IAB has acknowledged that some of these may represent honeypots.

Source: SOS Intelligence discussion with Bassterlord

Initial Access Brokerage is a common feature of cyber-crime forums.  The individuals concerned involve themselves with the compromise of computer networks. 

Once persistence within the network has been maintained, they monetize that access by selling it within forums, often to actors with access to destructive malware.  Therefore, IAB activity can often be a precursor to Ransomware and/or Data-exfiltration attacks.

Other Discussions identified by the SOS Intelligence Platform related to VPN Provider Scanning

Recommendation

We recommend reviewing any VPN services in use to ensure all default account passwords have been changed, and any built-in accounts have been disabled, in accordance with the best practices of your provider.

At SOS Intelligence we can provide bespoke intelligence feeds to help monitor your data to help you identify when credentials have been leaked and are appearing online, helping you to stay ahead of the attackers and keep your networks safe.

Photo by Kevin Ku on Unsplash