Security On-Demand has discovered a Russian based IP performing an active VPN scanning and password spraying campaign. This IP was observed performing this activity as of May 30, 2021. We are taking this opportunity to alert our client base and recommend any preemptive actions to deter or negate any negative outcomes.
Source IP: 18.104.22.168
ISP: Starcrecium Limited
Usage Type: Data Center/Web Hosting/Transit
Domain Name: starcrecium.com
Country: Russian Federation
City: Moscow, Moskva
Per online sources, this IP has been observed performing brute force access attempts on VPN services. This does appear to be an active automated spraying campaign. This spraying campaign is attempting a wide range of user names and passwords in order to either gain access or narrow down any user credentials that may not be secure.
This appears to be a large reconnaissance campaign aimed at collecting login credentials, specifically a large number of events are targeting VPN credentials. It is likely any credentials that have been successfully authenticated against a target environment will be used in a malicious fashion, such as selling the credential information to bad actors, using the credentials in a future network intrusion campaign, or other nefarious activity.
SOD has not seen any instances of the user names being listed in the event logs we have received, which shows no valid user names have been used. However, it only takes one predictable user name/password combination to gain access to a network.
It is recommended to block this IP or the entire subnet address range across all public facing interfaces in order to guarantee there are is successful reconnaissance information gathering or access attempts.
The Security On-Demand Threat Recon Unit will continue to monitor these events and will notify you of any critical updates as more information is provided. Please contact us if you have any questions.