The IT Nerd

It is being reported that newspapers across the country owned by the news media company Lee Enterprises, parent company of more than 70 daily newspapers and nearly 350 weekly and specialty publications in 25 states, were impacted by a cyberattack which made them unable to print newspapers and created problems with their websites.

Erich Kron, security awareness advocate at KnowBe4, commented:

“Although it isn’t officially announced, the symptoms of this attack have all of the signs of a significant ransomware event. Ransomware groups love to target organizations that are time sensitive, and media outlets absolutely fit that description, especially ones that produce a physical product.

Unfortunately, during these attacks cybercriminals very often steal any data they can find that may be useful to sell, or to use as leverage when paying a ransom. This is often going to include employee or customer information, and in the case of media outlets could include sensitive information such as confidential informants and other people who may want to remain anonymous.

Ransomware attacks are often very costly and don’t end with simply paying the ransom. The cybercriminals will often leave back doors in the network that need to be found and removed to ensure the attackers don’t simply reinfect the network, demanding yet another ransom payment. Hiring cybersecurity experts to find and remove back doors can be extremely costly, plus there is the cost of sales and advertising that would be halted while the systems are still down.

Because ransomware is most often spread by targeting employees with social engineering attacks, such as phishing, smishing, or even vishing, it’s critical that organizations not only have technical controls in place, but also have a robust human risk management program as well.”

I was hoping that things would be better in 2025, but given the number of attacks that I am reporting on, it honestly feels worse than 2024. Which means that this is going to be a very long year.

A large-scale brute force password attack using almost 2.8 million IP addresses is underway, attempting to guess the credentials for a wide range of networking devices, including those from Palo Alto Networks, Ivanti, and SonicWall.

I have commentary on this from a variety of experts. Starting with Erich Kron, Security Awareness Advocate at KnowBe4: 

“VPNs are a great target for bad actors because in a corporate world, they can lead to direct access to the network behind the protection of firewalls and other edge security devices. If these bad actors are able to guess or brute force the VPN password, cybercriminals could attempt anything from data theft to ransomware, or more. In many cases, cybercriminals could simply sell this network access to other bad actors as well, pocketing the cash and letting the buyer do whatever nefarious deeds they would like.”

“These types of attacks trying to break into networks though VPNs are often driven by processes such as ‘password spraying,’ which is using a predefined list of simple or common passwords, and a list of known email addresses or usernames, or through ‘credential stuffing,’ which is using a list of usernames and passwords stolen in other data breaches or by tricking employees to give up credentials through fake login portals. The use of MFA, or some other sort of secondary authentication technology, can help stop the ability of bad actors to log in, however, it is not foolproof.”

“By using so many IP addresses that are scattered throughout the globe to carry out these attacks, the cybercriminals can make it extremely difficult for defenders to stop the brute force attacks attempting to pierce the protections put in place by targeted organizations. These source IP addresses are often from individual computers infected with malware, IoT devices that have been compromised, or out of date consumer routers or internet facing devices that attackers have already taken over.”

“These sorts of attacks stress the importance of educating employees about good password hygiene, including not reusing passwords that may have been stolen in other breaches, and the need for a second factor of authentication for any important accounts, especially those that can access the organization from the internet.”

Next up is Chris Hauk, Consumer Privacy Champion at Pixel Privacy:

“Brute force password attacks have long been and will continue to be, a popular method of attacking systems, websites, VPN appliances, and other password-protected devices. While there are more sophisticated ways to perform attacks, hackers depend on the fact that their targets haven’t been kept updated to the latest software, firmware, or operating system versions, or that the device’s logins aren’t protected with two-factor or multi-factor authentication methods.”

Finally we have Brian Higgins, Security Specialist at Comparitech:

“This uptick in high-volume activity is symptomatic of the monetary allure that access dangles in front of cyber-criminal enterprises. Although such a massive brute-force endeavor smacks a little of the old ‘spray and pray’ methodology, the sheer volume and potential value of online targets these days makes the whole thing worthwhile. If anyone still hasn’t switched to Two or Multi Factor authentication or is adamantly clicking ‘ask me later’ when they see an update prompt, then this should be their final warning. There is research that says we will hit 75 billion connected devices in 2025 so Bot-Nets will only get bigger and from a criminal’s point of view, there’s no point letting them sit idle.”

Solutions such as MFA/2FA as well as totally passwordless solutions are no longer optional based on an attack like this one. Because when attacks like this one succeed, they have grave consequences for the organization at the receiving end.

UPDATE: Darren James, Senior Product Manager at Specops Software, commented:

“Brute Force attacks aren’t usually very sophisticated, but this example does certainly seem to demonstrate a well-planned and determined attack against its potential victims using such a large number of compromised devices based all over the globe.

The benefit of a brute force attack of this nature is that it’s in no hurry to crack the security of a specific individual, but instead targets hundreds, thousands maybe even millions of individual user accounts, trying to connect using a list of already known breached passwords, once it finds a match it might then proceed to deliver a payload or it may just keep that user/password pair to one side to be used later or sold on to the highest bidder.

This process usually takes a lot of time, but by simultaneously using 2.8 million devices they can certainly speed up this type of attack and the amount of positive “hits” they get.

From our own recent research we found that “admin” was still one of the most common base terms used in breach passwords, so it’s vitally important to make sure that the admin interfaces of these VPN and Firewall servers and devices that are being targeted are not using easily guessable passwords or default passwords set by their manufacturers.

Even if those passwords have been changed, organizations should also continuously scan to make certain that the passwords that have been set haven’t themselves become breached.

Implement MFA on these devices. This can be done using RADIUS authentication if there’s no secure built-in 2FA option, and finally consider whether you need to expose the admin interface externally, usually this is not a good idea, but could have been left over from a support session.”

This is also being reported by Bleeping Computer and has been tracked by The Shadowserver Foundation. 

UPDATE #2: Lawrence Pingree, VP, Dispersive adds this:

This problem is solved by separating the control plane and data plane for VPNs and transport infrastructure, as we do. A recent analysis of 2024 breaches found that over 56% of enterprises experienced an attack related to their VPNs (report link: https://blog.dispersive.io/vpns-under-siege-2024-cyber-attacks-data-breach-in-review ). I do not think most Zero Trust providers are immune to this same style of attack.