Hello and welcome to the Tuesday, September 19th, 2020,

edition of the Sansanet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

VPNs have been in the crosshairs of attackers for quite a while now.

Lots of ransomware is getting deployed via weak VPN access passwords.

And well, today I noticed in one of our larger honeypot installs that there is a group of

IP addresses looking for four very specific IP addresses

that are all VPN related.

Now, two of them are fairly generic,

so it wasn't really able to pin down a particular VPN,

even though the fourth one here looks like it's probably

some kind of net scalar remote access product you're

looking for here. There is Global Protect, the Palo Alto VPN, that's sort of on the target list

here, as well as Pulse Connect, which of course is another often targeted VPN product.

What this really means is that, well, if you have a VPN exposed to the world, it will get

discovered.

This particular scan was quite aggressive and probably made it through the internet by now.

All the scans for this particular group did originate from a particular slash 24 that's

geolocated in Russia.

Wouldn't really make too much of the fact that it's geolocated in Russia.

This happens to be sort of an average average low-cost virtual machine, virtual server

provider.

...