Cisco warns of password-spraying attacks targeting VPN services

Cisco has shared a set of recommendations for customers to mitigate password-spraying attacks that have been targeting Remote Access VPN (RAVPN) services configured on Cisco Secure Firewall devices.

The company says that the attacks have also been targeting other remote access VPN services and appear to be part of reconnaissance activity.

During a password-spraying attack, an adversary tries the same password with multiple accounts in an attempt to log in.

Cisco’s mitigation guide lists indicators of compromise (IoCs) for this activity to help detect the attacks and block them.

This includes inability to establish VPN connections with Cisco Secure Client (AnyConnect) when Firewall Posture (HostScan) is enabled.

Side-effect of the DoS status imposed by the attacks.
Side-effect of the DoS status caused by the attacks (Cisco)

Another sign is an unusual amount of authentication requests recorded by system logs.

Cisco’s recommendations to defend against these attacks include:

  • Enabling logging to a remote syslog server to improve incident analysis and correlation.
  • Securing default remote access VPN profiles by pointing unused default connection profiles to a sinkhole AAA server to prevent unauthorized access.
  • Leveraging TCP shun to manually block malicious IPs.
  • Configuring control-plane ACLs to filter out unauthorized public IP addresses from initiating VPN sessions.
  • Using certificate-based authentication for RAVPN, which provides a more secure authentication method than traditional credentials.

Links to Brutus botnet

Security researcher Aaron Martin told BleepingComputer that the activity observed by Cisco is likely from an undocumented malware botnet he named ‘Brutus.’ The connection is based on the particular targeting scope and attack patterns.

Martin has published a report on the Brutus botnet describing the unusual attack methods that he and analyst Chris Grube observed since March 15. The report notes that the botnet currently relies on 20,000 IP addresses worldwide, spanning various infrastructures from cloud services to residential IPs.

The attacks that Martin observed initially targeted SSLVPN appliances from Fortinet, Palo Alto, SonicWall, and Cisco but have now expanded to also include web apps that use Active Directory for authentication.

Brutus rotates its IPs every six attempts to evade detection and blocking, while it uses very specific non-disclosed usernames that are not available in public data dumps.

This aspect of the attacks raises concerns about how these usernames were obtained and might indicate an undisclosed breach or exploitation of a zero-day vulnerability.

Though the operators of Brutus are unknown, Martin has identified two IPs that have been associated with past activities of APT29 (Midnight Blizzard, NOBELIUM, Cozy Bear), an espionage threat group believed to work for the Russian Foreign Intelligence Service (SVR).

Related Articles:

New Cisco ASA and FTD features block VPN brute-force password attacks

Volt Typhoon rebuilds malware botnet following FBI disruption

Quad7 botnet targets more SOHO and VPN routers, media servers

New Glove infostealer malware bypasses Chrome’s cookie encryption

North Korean hackers create Flutter apps to bypass macOS security