Cybercriminals target weak VPNs and remote access in new offensive

Cybercriminals target weak VPNs and remote access in new offensive

Cybercriminals target weak VPNs and remote access in new offensive

https://www.escudodigital.com/en/cybersecurity/cybercriminals-target-weak-vpns-and-remote-access-in-new-offensive.html

Publish Date: 2026-07-03 01:20:00

Source Domain: www.escudodigital.com

Author:

Using an unordered list, summarize the following article with between 4 and 8 key points.

More and more companies are consolidating hybrid and distributed work models, a situation that cybercriminals are taking advantage of by focusing their efforts on locating weak credentials, services exposed to the internet, and poor configurations that allow them to access corporate networks without raising suspicion.

The latest analyses of threats detected during June by Barracuda Research reflect an increasingly repeated pattern: before deploying ransomware, stealing information, or compromising critical infrastructures, criminals first look for an easy entry point.

And, in many cases, that access comes through a poorly protected VPN or remote connections with insufficient security measures.

VPNs remain one of the main targets

The remote access infrastructure continues to concentrate a large part of intrusion attempts.

During May, there was a 55% increase in “password spraying” attacks from Iran against Fortigate devices intended to protect VPN connections.

This type of attack involves trying a common password on a large number of different accounts.

Unlike traditional brute force, this technique reduces the risk of locking users out due to excessive attempts and increases the chances of finding valid credentials when organizations maintain weak passwords.

Although the detected attempts did not manage to compromise the analyzed systems, they do show that cybercriminals maintain a constant interest in accessing remote access infrastructures to prepare subsequent attacks of greater impact.

LemonDuck turns devices into tools for new attacks

Another identified threat is LemonDuck, a malware specialized in compromising vulnerable devices to use them in illegal cryptocurrency mining campaigns and other criminal activities.

Its operation goes far beyond installing malicious software. Once it gains access to the system, it uses PowerShell to execute hidden scripts that download additional components from servers controlled by the attackers.

Subsequently, it creates persistence mechanisms through scheduled tasks or Windows Management Instrumentation (WMI) events, allowing it to remain active even after system reboots.

In addition to consuming computing resources to generate cryptocurrencies, infected devices become part of a botnet from which new malicious campaigns can be launched against third parties.

GoldBrute exploits exposed remote desktops

The report also highlights the activity of GoldBrute, a bot network specialized in attacking Remote Desktop Protocol (RDP) connections exposed directly to the internet.

This threat automates thousands of authentication attempts using combinations of usernames and passwords until it finds valid credentials.

When it manages to access a system, attackers can move laterally through the network, install malicious software, extract confidential information, or prepare the execution of much more destructive attacks.

The risk increases especially for organizations that leave RDP services accessible from the outside without multi-factor authentication, robust password policies, or IP address access restrictions.

The protection of remote access gains importance

The conclusions of the report show that a significant portion of the incidents detected during the last month shared the same origin: insufficient access controls, remote services visible from the internet, and vulnerable credentials.

Reducing this attack surface involves implementing multifactor authentication, eliminating unnecessarily exposed services, continuously updating security devices, and applying strict password management policies.

In addition, there is a need to permanently monitor activity on VPN, RDP, and other remote access mechanisms to detect anomalous behavior before attackers manage to consolidate their presence.

The combination of poorly protected remote access and weak credentials remains one of the preferred methods for cybercriminals to compromise corporate networks.

More and more companies are consolidating hybrid and distributed work models, a situation that cybercriminals are taking advantage of by focusing their efforts on locating weak credentials, services exposed to the internet, and poor configurations that allow them to access corporate networks without raising suspicion.

The latest analyses of threats detected during June by Barracuda Research reflect an increasingly repeated pattern: before deploying ransomware, stealing information, or compromising critical infrastructures, criminals first look for an easy entry point.

And, in many cases, that access comes through a poorly protected VPN or remote connections with insufficient security measures.

VPNs remain one of the main targets

The remote access infrastructure continues to concentrate a large part of intrusion attempts.

During May, there was a 55% increase in “password spraying” attacks from Iran against Fortigate devices intended to protect VPN connections.

This type of attack involves trying a common password on a large number of different accounts.

Unlike traditional brute force, this technique reduces the risk of locking users out due to excessive attempts and increases the chances of finding valid credentials when organizations maintain weak passwords.

Although the detected attempts did not manage to compromise the analyzed systems, they do show that cybercriminals maintain a constant interest in accessing remote access infrastructures to prepare subsequent attacks of greater impact.

LemonDuck turns devices into tools for new attacks

Another identified threat is LemonDuck, a malware specialized in compromising vulnerable devices to use them in illegal cryptocurrency mining campaigns and other criminal activities.

Its operation goes far beyond installing malicious software. Once it gains access to the system, it uses PowerShell to execute hidden scripts that download additional components from servers controlled by the attackers.

Subsequently, it creates persistence mechanisms through scheduled tasks or Windows Management Instrumentation (WMI) events, allowing it to remain active even after system reboots.

In addition to consuming computing resources to generate cryptocurrencies, infected devices become part of a botnet from which new malicious campaigns can be launched against third parties.

GoldBrute exploits exposed remote desktops

The report also highlights the activity of GoldBrute, a bot network specialized in attacking Remote Desktop Protocol (RDP) connections exposed directly to the internet.

This threat automates thousands of authentication attempts using combinations of usernames and passwords until it finds valid credentials.

When it manages to access a system, attackers can move laterally through the network, install malicious software, extract confidential information, or prepare the execution of much more destructive attacks.

The risk increases especially for organizations that leave RDP services accessible from the outside without multi-factor authentication, robust password policies, or IP address access restrictions.

The protection of remote access gains importance

The conclusions of the report show that a significant portion of the incidents detected during the last month shared the same origin: insufficient access controls, remote services visible from the internet, and vulnerable credentials.

Reducing this attack surface involves implementing multifactor authentication, eliminating unnecessarily exposed services, continuously updating security devices, and applying strict password management policies.

In addition, there is a need to permanently monitor activity on VPN, RDP, and other remote access mechanisms to detect anomalous behavior before attackers manage to consolidate their presence.

The combination of poorly protected remote access and weak credentials remains one of the preferred methods for cybercriminals to compromise corporate networks.

Become a premium member for free!