Cybersecurity researchers have flagged a cluster of IP networks tied to large-scale brute-force and password-spraying activity aimed at exposed SSL VPN and RDP services. The campaigns were observed between June and July 2025 and were attributed to traffic originating from a Ukraine-based autonomous system known as FDN3 (AS211736). Investigators assessed that FDN3 is not operating in isolation, but as part of a broader “abusive infrastructure” that also involves other Ukrainian networks, including VAIZ-AS (AS61432) and ERISHENNYA-ASN (AS210950), plus an offshore autonomous system called TK-NET (AS210848).
What’s driving concern is not just the volume, it’s the operational pattern. Researchers described frequent exchanges of IPv4 prefixes among these networks, a tactic that can help attackers evade blocklists and keep the campaigns running after defenders begin to filter traffic. That kind of infrastructure agility is a hallmark of persistent abuse, where the goal is to maintain uptime for scanning, credential attacks, and follow-on access attempts even when visibility increases.
Brute-force and password spraying remain two of the most common entry points for bigger incidents. Brute-force attempts to guess credentials repeatedly against the same account, while password spraying tries a smaller set of commonly used passwords across many accounts to avoid lockouts. When the targets are internet-facing VPN gateways and RDP endpoints, successful access can quickly translate into lateral movement, data theft, or ransomware deployment.
Why SSL VPN and RDP are prime targets for password spraying
SSL VPN appliances and RDP hosts sit at the front door of many organizations. They are often exposed to the internet for legitimate remote access, they tend to be reachable 24/7, and they frequently rely on username and password authentication that attackers can test at scale. If multi-factor authentication is missing or inconsistently enforced, credential attacks become far more dangerous.
Password spraying is particularly effective against environments with reused credentials, shared accounts, weak password policies, or incomplete account lockout rules. Even when lockouts exist, attackers can rotate IP addresses and spread attempts over time to reduce obvious spikes. That is where the prefix swapping and shifting autonomous systems matter, because it helps keep the traffic coming from “new” sources as defenses react.
Once an attacker gains valid credentials, SSL VPN access can provide a direct path into internal networks, while RDP access can land them on a workstation or server with meaningful privileges. From there, attackers typically enumerate systems, look for admin tokens and stored credentials, disable defenses, and expand reach. That is why these campaigns should be treated as more than noise, they can be the first stage of a full breach.
How defenders can reduce risk from large-scale brute-force campaigns
The most reliable mitigation is to reduce reliance on passwords alone. Enforce multi-factor authentication for VPN and remote access, preferably phishing-resistant methods where feasible. Next, restrict exposure: limit who can reach VPN portals and RDP services by using allowlists, zero trust access brokers, or placing RDP behind a VPN rather than exposing it directly to the public internet.
Hardening settings also matters. Enable account lockouts that balance usability with security, add rate-limiting, and monitor for distributed login failures across many accounts, not just repeated failures on one account. Review logs for abnormal authentication patterns, such as repeated attempts from many IPs, sudden spikes in failed logins, or successful logins followed by unusual geolocation changes and new device fingerprints.
Finally, keep edge devices patched and reduce attack surface. Disable unused VPN features, remove legacy authentication methods, and audit accounts for weak passwords, stale users, and shared credentials. If you suspect active password spraying, rotate credentials, invalidate sessions, and investigate for post-authentication activity, because the most damaging phase often starts after the first successful login.
In short, this activity is a reminder that remote access security is only as strong as its weakest control. If SSL VPN and RDP are exposed, attackers will test them. The goal is to make sure those tests lead to alerts and blocks, not access.
