A recent increase in internet scans has raised alarms among network administrators, focusing on devices from Juniper Networks, Cisco Systems, and Palo Alto Networks. Security experts are urging swift action to protect these systems, especially due to the exploitation of default credentials.
The concerning activity was highlighted by Johannes Ullrich, a dean of research at the SANS Institute. He noted that threat actors were probing for default usernames and passwords associated with Juniper’s Session Smart Networking Platform (SSR). The specific combination being targeted is "t128" for the username and "128tRoutes" for the password. Ullrich expressed disappointment that such basic credentials are still in use for high-value devices, urging administrators who haven’t already done so to change these default settings.
This surge in scanning activity occurred over a week and was characterized as a random probe. Ullrich explained that the attempts would only succeed if the defaults had not been altered. He emphasized that while sophisticated administrators should know better, the persistence of such practices indicates a wider problem.
In past years, Juniper faced scrutiny regarding its security practices, especially after acquiring 123 Technology for $450 million. Many default credentials remained unchanged post-acquisition, which Ullrich has documented in his blog.
Adding to these concerns, Cisco Systems customers were recently warned about vulnerabilities in their Smart Licensing Utility software. Ullrich discovered that attempts were being made to exploit unpatched devices, prompting Cisco to advise users to upgrade to secure software releases. This information comes after Cisco disclosed several critical vulnerabilities last September, which may have left many users unaware of their exposure.
There has been ongoing pressure from cybersecurity experts and regulatory bodies to eliminate default passwords. Ullrich pointed out that manufacturers could easily eliminate the need for default passwords, suggesting alternatives such as assigning unique passwords when devices are first set up.
Moreover, researchers at GreyNoise reported a notable increase in scanning activity targeting Palo Alto Networks’ GlobalProtect portals, indicating a possible coordinated effort to identify vulnerabilities. In the past 30 days, almost 24,000 unique IP addresses attempted access, predominantly from the U.S. and Canada, with a peak of nearly 20,000 unique IPs in one day. The researchers speculate that this trend could precede targeted exploitation, emphasizing the need for organizations to secure their login portals.
In summary, this situation highlights an ongoing issue with device security, particularly the dangers posed by default credentials and unpatched vulnerabilities. Organizations are urged to take proactive steps to safeguard their systems against these increasing threats.
