Massive Brute-Force Attacks on SSL VPN and RDP Devices from Ukrainian Network FDN3
Summary
Hide β²
Show βΌ
Between June and July 2025, a Ukrainian IP network FDN3 (AS211736) launched extensive brute-force and password spraying attacks targeting SSL VPN and RDP devices. The activity is part of a broader abusive infrastructure involving multiple Ukrainian and Seychelles-based networks. These networks have been previously linked to spam distribution, network attacks, and malware command-and-control hosting. The attacks have been attributed to large-scale brute-force attempts, peaking between July 6 and 8, 2025. The techniques used are consistent with initial access vectors employed by various ransomware-as-a-service (RaaS) groups. The infrastructure includes networks such as VAIZ-AS (AS61432), ERISHENNYA-ASN (AS210950), and TK-NET (AS210848). These networks often exchange IPv4 prefixes to evade blocklisting and continue hosting abusive activities. The prefixes involved have ties to known bulletproof hosting providers and have been used for various malicious activities in the past.
Timeline
-
02.09.2025 13:38 π° 1 articles Β· β± 14d ago
Ukrainian Network FDN3 Launches Massive Brute-Force Attacks on SSL VPN and RDP Devices
Between June and July 2025, the Ukrainian network FDN3 (AS211736) conducted extensive brute-force and password spraying attacks on SSL VPN and RDP devices. The activity is part of a broader abusive infrastructure involving multiple Ukrainian and Seychelles-based networks. The attacks peaked between July 6 and 8, 2025, and the techniques used are consistent with those employed by RaaS groups.
Show sources
- Ukrainian Network FDN3 Launches Massive Brute-Force Attacks on SSL VPN and RDP Devices β thehackernews.com β 02.09.2025 13:38
Information Snippets
-
The Ukrainian network FDN3 (AS211736) conducted brute-force and password spraying attacks on SSL VPN and RDP devices between June and July 2025.
First reported: 02.09.2025 13:38π° 1 source, 1 articleShow sources
- Ukrainian Network FDN3 Launches Massive Brute-Force Attacks on SSL VPN and RDP Devices β thehackernews.com β 02.09.2025 13:38
-
FDN3 is part of a broader abusive infrastructure involving VAIZ-AS (AS61432), ERISHENNYA-ASN (AS210950), and TK-NET (AS210848).
First reported: 02.09.2025 13:38π° 1 source, 1 articleShow sources
- Ukrainian Network FDN3 Launches Massive Brute-Force Attacks on SSL VPN and RDP Devices β thehackernews.com β 02.09.2025 13:38
-
These networks often exchange IPv4 prefixes to evade blocklisting and continue hosting abusive activities.
First reported: 02.09.2025 13:38π° 1 source, 1 articleShow sources
- Ukrainian Network FDN3 Launches Massive Brute-Force Attacks on SSL VPN and RDP Devices β thehackernews.com β 02.09.2025 13:38
-
The attacks peaked between July 6 and 8, 2025, and are consistent with techniques used by RaaS groups.
First reported: 02.09.2025 13:38π° 1 source, 1 articleShow sources
- Ukrainian Network FDN3 Launches Massive Brute-Force Attacks on SSL VPN and RDP Devices β thehackernews.com β 02.09.2025 13:38
-
The infrastructure has ties to known bulletproof hosting providers and has been used for various malicious activities.
First reported: 02.09.2025 13:38π° 1 source, 1 articleShow sources
- Ukrainian Network FDN3 Launches Massive Brute-Force Attacks on SSL VPN and RDP Devices β thehackernews.com β 02.09.2025 13:38
Similar Happenings
Supply Chain Attack Targeting npm Registry Compromises 40 Packages
A supply chain attack targeting the npm registry has compromised over 187 packages maintained by multiple developers. The attack uses a malicious script (bundle.js) to steal credentials from developer machines. The compromised packages include various npm modules used in different projects. The attack is capable of targeting both Windows and Linux systems. The malicious script scans for secrets using TruffleHog's credential scanner and transmits them to an external server controlled by the attackers. Developers are advised to audit their environments and rotate credentials if the affected packages are present.
Akira Ransomware Group Exploits SonicWall SSL VPN Flaws
The Akira ransomware group has been actively exploiting SonicWall SSL VPN flaws and misconfigurations to gain initial access to networks. This campaign has seen increased activity since late July 2025, targeting SonicWall devices to facilitate ransomware operations. The group leverages a combination of security vulnerabilities, including a year-old flaw (CVE-2024-40766) and misconfigured LDAP settings, to bypass access controls and infiltrate networks. Organizations are advised to rotate passwords, remove unused accounts, enable multi-factor authentication, and restrict access to the Virtual Office Portal to mitigate risks. The Australian Cyber Security Centre (ACSC) has acknowledged Akira's targeting of SonicWall SSL VPNs and issued alerts about the increased exploitation of CVE-2024-40766.
Increased browser targeting by threat actors
Threat actors are increasingly targeting web browsers as a primary attack vector. This shift is driven by the browser's central role in accessing sensitive data and cloud applications, making it an attractive target for credential theft and session hijacking. High-profile incidents, such as the Snowflake breach, underscore the need for enhanced browser security measures. The browser's role in accessing sensitive data and cloud applications makes it a prime target for attackers. The Snowflake breach, which exploited stolen credentials, highlights the risks associated with browser-based attacks. Experts emphasize the need for stronger browser security to mitigate these threats. Browser-based attacks include phishing for credentials and sessions, malicious copy & paste (ClickFix), malicious OAuth integrations, malicious browser extensions, malicious file delivery, and exploiting stolen credentials and MFA gaps. These attacks exploit the browser's role in accessing business applications and data, making it crucial for security teams to focus on browser security.
GhostRedirector Campaign Targets Windows Servers with Rungan and Gamshen
A threat cluster named GhostRedirector has compromised at least 65 Windows servers in Brazil, Thailand, and Vietnam. The attacks deployed a passive C++ backdoor called Rungan and an IIS module named Gamshen. The threat actor has been active since at least August 2024. The primary goal of the attacks is to manipulate search engine results to boost the ranking of specific websites, including gambling sites. The campaign targets various sectors, including education, healthcare, insurance, transportation, technology, and retail. Initial access is gained through an SQL injection vulnerability, followed by the use of PowerShell to deliver additional tools. The threat actor is assessed with medium confidence to be China-aligned.
Malicious link spreading via Grok AI on X
Threat actors are exploiting X's Grok AI to bypass link posting restrictions and spread malicious links. They hide links in the 'From:' metadata field of video ads, which Grok then reveals when queried, boosting the links' credibility and reach. This technique, dubbed 'Grokking,' leads users to various scams and malware. The abuse leverages Grok's trusted status on X, amplifying the reach of malicious ads to millions of users. Potential solutions include scanning all fields, blocking hidden links, and enhancing Grok's context sanitization to filter and check links against blocklists. The technique involves using adult content as bait to attract users. The links direct users to sketchy ad networks, pushing fake CAPTCHA scams, information-stealing malware, and other suspicious content. The domains are part of the same Traffic Distribution System (TDS). Hundreds of accounts have been engaging in this behavior over the past few days, posting non-stop until they get suspended. Grok's internal security mechanisms are less robust compared to its competitors, making it vulnerable to prompt injection attempts. X's Grok 4 model lacks fine-tuning for security and safety, prioritizing performance over security.