Brute-force & VPN attacks on the Rise

Troy Gerrie • July 25, 2024

With the rise in remote work, the sophistication of hacking tools, and the surge in AI, brute force & VPN attacks are soaring. Since at least March 2024, there has been a global surge in brute-force attacks identified against a variety of targets including VPN services, web application authentication interfaces, and SSH services. 


Known Affected Services

  • Cisco Secure Firewall VPN 
  • Checkpoint VPN 
  • Fortinet VPN 
  • SonicWall VPN 
  • RD Web Services
  • Ubiquiti


A Virtual Private Network (VPN) is a mechanism for creating a secure connection between a computing device and a computer network, or between two networks, using an insecure communication medium such as the public Internet.


Current trends indicate that VPN attacks are not only increasing in frequency but also growing in sophistication. The rise in ransomware cases exploiting VPN vulnerabilities, especially following public disclosures, underscores the inherent weaknesses of traditional VPNs. These flaws provide attackers with easy access points to penetrate networks and move laterally, resulting in significant data breaches and operational disruptions.


Progressive organisations are shifting to zero trust architectures to achieve more detailed control and significantly minimise the attack surface. This is achieved by eliminating implicit trust, both within and outside the network perimeter. This approach tackles the immediate weaknesses of traditional VPNs and aligns with a proactive cybersecurity strategy, crucial for adapting to the changing threat landscape. 


A Brute Force Attack is a hacking technique that uses trial and error to crack passwords, login credentials, and encryption keys. The term “brute force” reflects the attackers’ relentless attempts to gain access. Hackers employ computers to test numerous username and password combinations until they find the correct one. 


↓ Downside: An attacker can eventually discover a password through a brute-force attack.


↑ Upside: By following best practices for password creation and storage, it could take years to crack. With a sufficiently long and complex password, there could be trillions of possible combinations, making it extremely difficult for attackers.


Although it is impossible to completely stop these attacks, the following best practices can significantly thwart their efforts and enhance your security posture.


  • Use Strong & Unique Passwords – passwords should be long and complex; each account should have a unique password.
  • Limit Login Attempts - Block accounts after “x” number of failed login attempts.
  • Monitor IP Addresses – Block login attempts from suspicious IP addresses.
  • Use Multifactor Authentication (MFA) – Multiple ways to identify a user is who they say they are. Something you have, something you know, something you are. EG. Password + Authenticator App code.

Recent Posts

Why you should think of your technology partner as an iceberg.

February 21, 2025
And no, it’s not because it has the potential to turn you into a Titanic. Rather, it’s because what you see and interact with most days is just the tip of what we do. Below the waterline of everyday interaction is a significant mass of knowledge, expertise, and strategic value – all aimed at helping to secure and enable the growth of your business.

NZ Privacy Act – what you really, really need to know - (Data Privacy Day Part 2)

By Yorb January 30, 2025
In part 1 of our Data Privacy Day blog, we discussed the state of cybersecurity in New Zealand (as you do) and the critical importance of data governance. You can catch up on the whys and wherefores of data governance as it applies to you here . Moving on, this time, we’re focusing on the 13 Information Privacy Principles in our Privacy Act (2020) and what you need to do to stay on the good side of our legislation – and your customers. But first, this is why you should care.

Data Privacy Day, and why you should mind your own business - (Data Privacy Day Part 1)

By Yorb January 23, 2025
Data Privacy Day has been internationally observed on 28 January since 2007. Its purpose is to raise awareness and promote best privacy and data protection practices. It serves as an excellent reminder of exactly how precious our data is, as well as our ethical and legal obligations as businesses to securely manage and protect it. So, in terms of data privacy, how have we fared here in New Zealand? Why is data governance so important - what is it, and why exactly do you need it? Warning – triggering content: It may not be your job to manage data – and you may not think you even need to care about it. But if you are a stakeholder, it’s your responsibility to make sure that your business complies with New Zealand’s privacy and data protection best practices.  This is a big topic (sorry!), so it’s in two parts.
Share by: