173.239.240.145

Summary (Bottom Line Up Front)

IP address 173.239.240.145 conducted a sustained credential attack campaign against SSL VPN infrastructure over 21 days (March 4-25, 2026), generating 3,555 authentication attempts targeting HTTPS services. This represents a MEDIUM threat with potential for unauthorized network access if weak credentials are deployed. Organizations should immediately audit SSL VPN configurations and implement enhanced authentication monitoring.

TCP TLS TLS/1.0 https https_tls_handshake
AUTH_ATTACK CREDENTIAL
Activity Timeline
INITIAL REPORT2026-03-25T10:16:14Z
Source: Analyst Manual Entry
IP address 173.239.240.145 conducted a sustained credential attack campaign against SSL VPN infrastructure over 21 days (March 4-25, 2026), generating 3,555 authentication attempts targeting HTTPS services. This represents a MEDIUM threat with potential for unauthorized network access if weak credentials are deployed. Organizations should immediately audit SSL VPN configurations and implement enhanced authentication monitoring.
Technical details
Attack Vector: Sustained brute force authentication attacks against SSL VPN WebVPN interfaces using HTTPS/TLS protocols on port 443. MITRE Technique: T1110.001 (Password Brute Force). Volume: 3,555 events over 21-day period with 345 high-confidence credential attempts. Observed Payloads: Username enumeration attempts including "frontl" and "university" accounts with common passwords such as "Winter2026!" and "Password1". User Agent: Chrome 143.0.0.0 indicating automated tooling masquerading as legitimate browser traffic. Target Infrastructure: Cisco ASA SSL VPN WebVPN interfaces with standard login parameters and session cookies.
IOCs
IP:173.239.240.145
Recommendations
  • Implement account lockout policies and rate limiting on SSL VPN authentication endpoints to prevent brute force attacks
  • Deploy multi-factor authentication (MFA) for all SSL VPN access to mitigate credential-based attacks
  • Monitor authentication logs for repeated failed login attempts and unusual user agent patterns targeting VPN infrastructure
  • Conduct immediate audit of SSL VPN user accounts to identify and remediate weak or default credentials
  • Consider blocking or rate-limiting traffic from IP address 173.239.240.145 pending further investigation
Threat Assessment
Threat Level HIGH
AI Verdict MEDIUM
Confidence 85%
Total Events 3,170
Indicators of Compromise
ip 173.239.240.145
Captured Payloads (2)
medium AUTH_ATTACK https:443 
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36Accept: */*Connection: closeCookie: webvpnlogin=1; webvpnLang=enContent-Type: application/x-www-form-urlencodedContent-Length: 77tg
medium CREDENTIAL https:443 
username=frontl&password=Winter2026%21&Login=Login