Blog
>
Cyberthreats
4
 Min read

Persistent Siege: Large-Scale Brute Force Attacks on Cisco ASA SSL WebVPN

Published on 
Jun 4, 2024
Large-Scale Brute Force Attacks on Cisco ASA SSL WebVPN

Since December 2023, we've been closely monitoring large-scale brute force campaigns targeting Cisco ASA SSL WebVPN. By April 2024, Cisco Talos released an advisory detailing these malicious activities, highlighting the severity and persistence of the threat.

Attack Volume

The volume of these attacks, as tracked through Sphere, is significant. The daily attack attempts range from 1,000 to 8,000, indicating a highly active and sustained campaign. This high frequency poses a serious threat as it can potentially brute force RADIUS authentication servers, thereby blocking legitimate users from accessing WebVPN interfaces.

Source IPs

Our analysis shows that the attacks originate from a mix of residential proxies, VPNs, and suspicious hosting providers. This diversity in sources complicates mitigation efforts, as it makes it difficult to pinpoint and block the malicious IPs effectively.

Credentials and Attack Methods

The attackers use automated scripts to carry out these brute force attempts. These scripts first fingerprint WebVPN instances to identify potential targets. The login attempts predominantly use generic credentials such as 'training,' 'vpn,' 'support,' 'backup,' and similar simplistic passwords. This approach suggests the attackers rely on common, weak credentials that might be overlooked or unchanged in some systems.

Current Status

As of June 4, 2024, these attacks are ongoing, indicating that the threat actors remain active and persistent in their efforts.

Indicators of Compromise

For those seeking more detailed information on the malicious indicators involved in these attacks, including IPs, user agents, and specific username/password combinations, please refer to the repository linked below.

https://github.com/ALPHATECHS-AL/cisco_asa_bruteforce_campaigns


Further Reading

For a comprehensive understanding and additional details about these large-scale brute force activities targeting VPNs and recommendations please read the following article:

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/221806-password-spray-attacks-impacting-custome.html

Other Articles

Exploring Leading Vendors’ Hardened OS in Firewalls
Research

Where Firewalls Run

Firewalls are essential security devices that protect networks from unauthorized access and malicious activities. These critical components operate on specialized operating systems (OS) designed to provide robust protection and optimize performance. In this article, we will delve into the world of firewalls and examine the hardened OS employed by some of the industry’s leading vendors. From well-established companies to innovative newcomers, let’s explore where firewalls run and the key characteristics of these operating systems.

Brenton
Brenton
3
 min read
Dec 19, 2023
Delve into our in-depth investigation of FortiOS vulnerability CVE-2024-21762, where we employed reverse analysis techniques to uncover critical flaws
Research

Vulnerability Spotlight: Reverse Analysis of FortiOS Vulnerability CVE-2024-21762 Explained

Delve into our in-depth investigation of FortiOS vulnerability CVE-2024-21762, where we employed reverse analysis techniques to uncover critical flaws

Brenton
Brenton
8
 min read
Dec 19, 2023
An abstract representation of cryptographic concepts, featuring intertwined chains and mathematical symbols, symbolizing the intricate nature of cryptography. The image evokes a sense of progress and advancement, reflecting the dynamic evolution of cryptographic techniques towards enhancing privacy and security.
Research

Towards New Frontiers: Cryptography and Privacy

The evolution of cryptography continues to captivate both experts and enthusiasts alike, especially in light of recent developments surrounding SHA-256 and its resilience against collision attacks. While SHA-256 remains robust for now, the history of cryptography underscores the need for continuous advancement to stay ahead of potential threats. In this dynamic landscape, zero-knowledge proofs (ZK-proofs) emerge as a formidable tool for safeguarding privacy in cryptographic protocols. These techniques allow individuals to assert possession of sensitive information without revealing the information itself, offering enhanced privacy and scalability benefits.

Brenton
Brenton
6
 min read
Dec 19, 2023
SSH Login Attempts Analysis
Cyberthreats

SSH Login Attempts Analysis: A Comprehensive Examination

In cybersecurity, safeguarding systems against unauthorized access is paramount. SSH (Secure Shell) stands as a widely-utilized protocol for remote server and network device access.

Brenton
Brenton
3
 min read
Dec 19, 2023
View all