Emerging Threats in Cybersecurity: A Deep Dive into Recent Brute-Force Attacks
Introduction to the Threat Landscape
Recent investigations by cybersecurity experts have unveiled significant brute-force and password spraying attacks originating from a Ukrainian IP network. This alarming activity, primarily targeting SSL VPN and Remote Desktop Protocol (RDP) devices, peaked between June and July 2025, as reported by Intrinsec, a cybersecurity firm based in France.
Identifying the Culprits
The source of these attacks has been traced back to a Ukrainian autonomous system known as FDN3 (AS211736). Intrinsec suggests that FDN3 forms part of a broader and concerning infrastructure alongside two other Ukrainian networks: VAIZ-AS (AS61432) and ERISHENNYA-ASN (AS210950). Additionally, a Seychelles-based system, TK-NET (AS210848), is also linked to these malicious activities.
Networking Maneuvers
These systems were allocated in August 2021, and they frequently exchange IPv4 prefixes to evade detection and continue their harmful practices. Specifically, AS61432 is currently announcing a single prefix, while AS210950 has disclosed two prefixes, indicating a coordinated effort to maintain operational secrecy.
The Web of Connections
Further analysis revealed that the very prefixes moving from AS61432 and AS210950 are now being routed through various bulletproof and abusive networks linked to multiple shell companies, including Global Internet Solutions LLC and Telkom Internet LTD. This structure enhances the anonymity of those behind the operations, complicating efforts to identify the true actors.
The Scale and Technique of the Attacks
The brute-force attacks observed were extensive, involving attempts to breach SSL VPN and RDP systems. The peak of these activities was recorded between July 6 and 8, 2025, raising concerns about widespread vulnerabilities in corporate networks.
Past and Present Links
An interesting aspect of the investigation is the historical connections between some announced prefixes. In particular, several IPv4 prefixes identified in this new wave of attacks had previously been associated with Russian networks, including SibirInvest OOO. Such continuity suggests that these networks are not merely opportunistic but part of an ongoing strategy to destabilize cybersecurity.
The Role of Ransomware Groups
Brute-force and password spraying techniques have commonly been employed by ransomware-as-a-service (RaaS) groups. Notable among these are Black Basta and RansomHub, who rely on similar strategies as initial access points to infiltrate corporate environments, making these findings all the more pertinent in the modern threat landscape.
Operational Overlap and Infrastructure Insights
Additional prefixes announced by FDN3 were previously tied to AS210848, indicating a high degree of operational overlap among these networks. For example, a prefix linked to Bulgarian spam networks underscores the interconnected nature of these malicious entities.
Common Hosting Administrators
The strategic similarities—ranging from configuration setups to hosting content—have led cybersecurity researchers to conclude that these autonomous systems are likely operated by the same bulletproof hosting administrator. Such shared management further complicates efforts to dismantle these networks.
Links to Larger Botnet Operations
Recent investigations into FDN3 draw connections to Alex Host LLC, a Russian company associated with various bulletproof hosting providers. This reveals a larger pattern where offshore ISPs facilitate smaller bulletproof networks through strategic peering agreements.
Advanced Threat Detection
Amidst these troubling revelations, Censys has discovered an RPX server tied to the PolarEdge botnet, currently operating on over 2,400 hosts. This server, designed to manage proxy nodes, represents a significant advancement in botnet management, potentially allowing cybercriminals to navigate a complex web of proxies with ease.
The Bigger Picture
This investigation sheds light on the ongoing challenges faced by cybersecurity professionals. The role of offshore networks and the anonymity they provide create substantial barriers to accountability and enforcement. As cyber threats evolve, so must the strategies employed to combat them.
In summary, these recent attacks highlight a sophisticated and troubling cyber landscape, with numerous interconnected networks that facilitate widespread criminal activity while remaining frustratingly elusive to authorities. Addressing these emerging threats requires vigilance, advanced detection mechanisms, and coordination among cybersecurity experts globally.
